CVE-2026-8608

The CVE affects the WordPress plugin “Event Monster” (Event Monster – Event Management, Events Calendar, Tickets) up to version 2.1.0. The root cause is Insufficient Verification of Data Authenticity in the capture_payment() AJAX handler (wp_ajax_nopriv_em_capture_payment), which trusts client-su...

CVE-2026-6268

The EventPress WordPress theme before 22.2 does not sanitize or escape the 'id' parameter in the eventpresscustomizernotifydismissaction AJAX handler before outputting it back in the response, allowing unauthenticated attackers to perform Reflected Cross-Site Scripting attacks against logged-in...

CVE-2026-3642

The e-shot™ form builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.2. The eshotformbuilderupdatefielddata AJAX handler lacks any capability checks currentusercan or nonce verification checkajaxreferer/wpverifynonce. The function is...

CVE-2026-1572

The Livemesh Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data and Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 9.0. This is due to missing authorization checks on the AJAX handler laeadminajax and insufficient...

PT-2026-33267

Name of the Vulnerable Software and Affected Versions AcyMailing versions 9.11.0 through 10.8.1 Description A missing capability check on the 'wp ajax acymailing router' AJAX handler allows authenticated attackers with Subscriber-level access or higher to access admin-only controllers, including...

WordPress plugin PDF Resume Parser 信息泄露漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has a PHP and MySQL based on the server set up a personal blog site features. WordPress plugin is an application plug-ins. WordPress plugin...

CVE-2025-12630

The Upload.am WordPress plugin before 1.0.1 is vulnerable to arbitrary option disclosure due to a missing capability check on its AJAX request handler, allowing users such as contributor to view site options...

PT-2025-48709

CVE-2025-12630 The https://t.co/qJXADBHssq WordPress plugin before 1.0.1 is vulnerable to arbitrary option disclosure due to a missing capability check on its AJAX request handler, allowing user… https://t.co/IEMrlN1EhJ...

PT-2025-36114

Name of the Vulnerable Software and Affected Versions OceanWP WordPress theme versions prior to 4.1.2 Description The OceanWP WordPress theme is susceptible to unauthorized option updates due to a missing capability check within an AJAX request handler. This allows any authenticated user, even...

📄 WordPress WP Reactions Box 1.0 SQL Injection

WordPress WP Reactions Box plugin versions 1.0 and below suffer from a remote SQL Injection vulnerability. Exploit Title: WordPress WP Reactions Box Plugin 1.0 - SQL Injection Google Dork: N/A Date: 2025-08-24 Exploit Author: bRpsd cyatlive.no Vendor Homepage:...

PT-2024-38738 · WordPress · The Fileorganizer

Name of the Vulnerable Software and Affected Versions: The FileOrganizer – Manage WordPress and Website Files plugin for WordPress versions up to, and including, 1.0.9 Description: The issue is related to arbitrary file uploads due to missing file type validation in the fileorganizer ajax handler...

PT-2023-32305 · Supsystic · Digital Publications By Supsystic

Name of the Vulnerable Software and Affected Versions: Digital Publications by Supsystic plugin for WordPress versions up to, and including, 1.7.6 Description: The issue is due to missing or incorrect nonce validation on the AJAX action handler, making it possible for unauthenticated attackers to...

WordPress Plugin Event Espresso 4 Decaf 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site request forgery...