PT-2026-45711

The JTL-Connector for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.4.1. This is due to missing capability checks and nonce verification on the admin post settings save woo-jtl-connector action handled by JtlConnectorAdmin::save and on...

CVE-2026-45551

Affected product: Group-Office (enterprise CRM/groupware). Vulnerability details: Before versions 26.0.25, 25.0.100, and 6.8.165, an authenticated user can persist arbitrary legacy settings for any user_id via index.php?r=core/saveSetting, and a client-side sink in the email module injects email_...

CVE-2026-45551

Group-Office is an enterprise customer relationship management and groupware tool. Prior to 26.0.25, 25.0.100, and 6.8.165, GroupOffice allows authenticated users to persist arbitrary legacy settings for any userid via index.php?r=core/saveSetting. A separate client-side sink in the email module...

WordPress 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On plugin <= 2.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Modification vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Plugin Settings Modification vulnerability discovered by Legion Hunter in WordPress Plugin 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On versions = 2.0.1...

WordPress Emailchef plugin <= 3.5.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary plugin Settings Deletion vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary plugin Settings Deletion vulnerability discovered by Legion Hunter in WordPress Plugin Emailchef versions = 3.5.1...

CVE-2026-4117 CalJ <= 1.5 - Authenticated (Subscriber+) Arbitrary Settings Modification via 'save-obtained-key' Action

The CalJ plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5. This is due to a missing capability check in the CalJSettingsPage class constructor, which processes the 'save-obtained-key' operation directly from POST data without verifying that the...

CVE-2026-4117 CalJ <= 1.5 - Authenticated (Subscriber+) Arbitrary Settings Modification via 'save-obtained-key' Action

The CalJ plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5. This is due to a missing capability check in the CalJSettingsPage class constructor, which processes the 'save-obtained-key' operation directly from POST data without verifying that the...

CVE-2026-2294

The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'uipsaveglobalsettings' function in all versions up to, and including, 3.5.09. This makes it possible for...

CVE-2026-1993

The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Improper Privilege Management in versions 7.1.0 through 9.0.2. This is due to the updatesettings function accepting arbitrary plugin setting names without a whitelist of allowed settings. This makes it possible fo...

WordPress CallbackKiller service widget plugin <= 1.2 - Missing Authorization to Unauthenticated Arbitrary Plugin Settings Update vulnerability

Missing Authorization to Unauthenticated Arbitrary Plugin Settings Update vulnerability discovered by Legion Hunter in WordPress Plugin CallbackKiller service widget versions = 1.2...

SAMSUNG Mobile devices 安全漏洞

Samsung Mobile devices are a series of mobile devices produced by South Korea’s Samsung Corporation, including smartphones and tablets. Versions of Samsung Mobile Devices prior to SMR Feb-2026 Release 1 contained security vulnerabilities. These vulnerabilities stemmed from improper permission...

CVE-2026-1054

The RegistrationMagic plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 6.0.7.4. This is due to missing nonce verification and capability checks on the rmsetotp AJAX action handler. This makes it possible for unauthenticated attackers to modify arbitrar...

CVE-2025-14173

CVE-2025-14173 concerns the Perfit WooCommerce plugin for WordPress. The vulnerability is due to missing authorization on the logout function invoked through the actions hook on admin_init, affecting all versions up to and including 1.0.1. This enables unauthenticated attackers to delete arbitrar...

WordPress Quote Comments plugin <= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Update vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Plugin Settings Update vulnerability discovered by Legion Hunter in WordPress Plugin Quote Comments versions = 3.0.0...

CVE-2025-14367

The Easy Theme Options plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0. This is due to missing authorization checks in the etoimportsettings function. This makes it possible for authenticated attackers, with Subscriber-level access and above, ...

CVE-2025-14446

CVE-2025-14446 affects the Popup Builder (Easy Notify Lite) WordPress plugin (versions

CVE-2025-14367

CVE-2025-14367 affects the WordPress plugin Easy Theme Options (versions up to 1.0). The issue is Missing Authorization in the eto_import_settings function, enabling authenticated attackers with Subscriber-level access and above to import arbitrary plugin settings via the eto_import_settings para...

WordPress Popup Builder plugin <= 1.1.37 - Missing Authorization to Authenticated (Subscriber+) Arbitrary plugin Settings Reset vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary plugin Settings Reset vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin Popup Builder versions = 1.1.37...

PT-2025-51067

The Easy Theme Options plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0. This is due to missing authorization checks in the eto import settings function. This makes it possible for authenticated attackers, with Subscriber-level access and above...

CVE-2025-14170 Vimeo SimpleGallery <= 0.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Modification

The Vimeo SimpleGallery plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 0.2. This is due to missing authorization checks on the vimeogalleryadmin function hooked to adminmenu. This makes it possible for authenticated attackers, with Subscriber-lev...