244 matches found
EUVD-2026-43134
The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.12. This is due to missing capability checks and nonce verification on AJAX actions registered under both wpajax and wpajaxnopriv hooks, as the base...
PT-2026-57398
Name of the Vulnerable Software and Affected Versions AI Chatbot & Workflow Automation by AIWU versions prior to 1.4.13 Description The plugin contains a missing authorization flaw resulting from the absence of capability checks and nonce verification on AJAX actions registered under wp ajax and ...
CVE-2026-9857 Invoice123 <= 1.7.0 - Missing Authorization to Authenticated (Subscriber+) Setting Modification via s123_submit_api_key & s123_submit_invoice_settings AJAX actions
The Invoice123 plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.7.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access...
EUVD-2026-33280
Mautic has Stored Cross-Site Scripting XSS in Project Option Selector...
CVE-2026-12902
Kadence Blocks — Page Builder Toolkit for Gutenberg Editor (WordPress) contains an authorization bypass in all versions up to 3.7.7. Authenticated attackers with contributor-level access can create arbitrary Media Library attachments by downloading remote images into the uploads directory via wp_...
CVE-2026-12349
The Premium Addons for KingComposer plugin for WordPress is vulnerable to unauthorized modification and loss of data in versions up to, and including, 1.1.1. This is due to missing authorization and capability checks on the addcustomsidebar and removecustomsidebar AJAX handlers, both of which are...
CVE-2026-11364
CVE-2026-11364 affects the Product Specifications for WooCommerce plugin for WordPress up to version 0.8.9. The root cause is missing capability checks and absent nonce verification in the __invoke() methods of AttributeGroupController and AttributeController, tied to AJAX actions dwps_modify_gro...
WordPress WP Hotel Booking plugin < 2.3.1 - Subscriber+ Missing Authorization in Multiple AJAX Handlers vulnerability
Subscriber+ Missing Authorization in Multiple AJAX Handlers vulnerability discovered by Sanjorn Keeratirungsan in WordPress Plugin WP Hotel Booking versions 2.3.1...
CVE-2026-8089
The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin before 2.1.3 does not properly escape a user-supplied parameter before reflecting it into an HTML attribute on a non-nonce-protected AJAX response, allowing unauthenticated...
CVE-2026-8089
CVE-2026-8089 affects the weMail plugin for WooCommerce (WordPress) prior to version 2.1.3. The issue is a reflected Cross-Site Scripting (XSS) vulnerability caused by not escaping a user-supplied parameter before reflecting it into an HTML attribute in a non-nonce-protected AJAX response. This a...
CVE-2026-53738
Copy & Delete Posts through 1.5.4 lets any plugin-enabled non-admin role invoke every operation in the cdpactionhandling AJAX handler. Attackers with an enabled role can delete posts or overwrite plugin settings via the f parameter, bypassing per-function capability checks...
EUVD-2026-35985
The Xstore WordPress theme before 9.7.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection...
WordPress Contest Gallery Scanner
This Python script is a assessment tool designed to evaluate potential exposure of a WordPress Contest Gallery AJAX workflow by observing response differences from benign probe requests...
PT-2026-47678
The AJAX Report Comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.4. This is due to missing or incorrect nonce validation on the rc options page function. This makes it possible for unauthenticated attackers to modify plugin settin...
CVE-2026-9811
A stored Cross-Site Scripting XSS vulnerability exists in the project selector component of Mautic 7. When rendering selection menus for associating projects with system entities, the application fails to sanitize project names returned via AJAX before injecting them into the DOM as option fields...
WordPress plugin Poll Maker 信息泄露漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...
PT-2026-44823
Name of the Vulnerable Software and Affected Versions Mautic versions prior to 7.1.2 Description A stored Cross-Site Scripting XSS issue exists in the project selector component. The application fails to sanitize project names returned via AJAX before injecting them into the Document Object Model...
CVE-2026-8689
The CVE concerns the Visualizer: Tables and Charts Manager for WordPress plugin (WordPress) with versions up to 3.11.14. Root cause: missing capability checks on renderChartPages() and uploadData(), enabling certain AJAX actions (wp_ajax_visualizer-create-chart, wp_ajax_visualizer-edit-chart, and...
SUSE CVE-2026-46028
In the Linux kernel, the following vulnerability has been resolved: crypto: algifaead - snapshot IV for async AEAD requests AFALG AEAD AIO requests currently use the socket-wide IV buffer during request processing. For async requests, later socket activity can update that shared state before the...
CVE-2026-46028
In the Linux kernel, the following vulnerability has been resolved: crypto: algifaead - snapshot IV for async AEAD requests AFALG AEAD AIO requests currently use the socket-wide IV buffer during request processing. For async requests, later socket activity can update that shared state before the...