Lucene search
K

142 matches found

RedhatCVE
RedhatCVE
added 2026/03/26 3:4 p.m.4 views

CVE-2026-3453

The ProfilePress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.16.11. This is due to missing ownership validation on the changeplansubid parameter in the processcheckout function. The ppressprocesscheckout AJAX handler accepts a...

8.1CVSS5.8AI score0.00379EPSS
Exploits0References1
Patchstack
Patchstack
added 2026/03/24 6:21 p.m.5 views

WordPress JupiterX Core plugin <= 4.14.1 - Authenticated (Subscriber+) Missing Authorization To Limited File Upload via Popup Template Import vulnerability

Authenticated Subscriber+ Missing Authorization To Limited File Upload via Popup Template Import vulnerability discovered by Jack Pas Dark. - Black Lantern Security in WordPress Plugin JupiterX Core versions = 4.14.1...

8.8CVSS5.8AI score0.00676EPSS
Exploits0References1Affected Software1
Patchstack
Patchstack
added 2026/03/23 6:5 p.m.7 views

WordPress Punnel plugin <= 1.3.1 - Missing Authorization to Authenticated (Subscriber+) Settings Update via 'punnel_save_config' AJAX Action vulnerability

Missing Authorization to Authenticated Subscriber+ Settings Update via 'punnelsaveconfig' AJAX Action vulnerability discovered by Poli - CMC Global in WordPress Plugin Punnel – Landing Page Builder versions = 1.3.1...

5.3CVSS5.8AI score0.00292EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/21 3:26 a.m.2 views

CVE-2026-4087 Pre* Party Resource Hints <= 1.8.20 - Authenticated (Subscriber+) SQL Injection via 'hint_ids' Parameter

The Pre Party Resource Hints plugin for WordPress is vulnerable to SQL Injection via the 'hintids' parameter of the pprhupdatehints AJAX action in all versions up to, and including, 1.8.20. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on t...

6.5CVSS5.9AI score0.00261EPSS
Exploits0References6
Patchstack
Patchstack
added 2026/03/11 7:19 a.m.6 views

WordPress ProfilePress plugin <= 4.16.11 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Subscription Cancellation/Expiration vulnerability

Insecure Direct Object Reference to Authenticated Subscriber+ Arbitrary Subscription Cancellation/Expiration vulnerability discovered by kai63001 in WordPress Plugin ProfilePress versions = 4.16.11...

8.1CVSS5.8AI score0.00379EPSS
Exploits0References1Affected Software1
Patchstack
Patchstack
added 2026/03/07 12:10 a.m.7 views

WordPress Winston AI plugin <= 0.0.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Deletion vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Plugin Settings Deletion vulnerability discovered by Legion Hunter in WordPress Plugin HUMN-1 AI Website Scanner & Human Certification by Winston AI versions = 0.0.3...

4.3CVSS5.8AI score0.00283EPSS
Exploits0References1Affected Software1
Patchstack
Patchstack
added 2026/02/20 10:15 a.m.10 views

WordPress Smartsupp - live chat, AI shopping assistant and chatbots plugin <= 3.9.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting vulnerability

WordPress Smartsupp - live chat, AI shopping assistant and chatbots plugin = 3.9.1 - Authenticated Subscriber+ Stored Cross-Site Scripting vulnerability discovered by Rafshanzani Suhada in WordPress Plugin Smartsupp – live chat, chatbots, AI and lead generation versions = 3.9.1...

6.4CVSS5.5AI score0.00266EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2026/02/19 4:36 a.m.13 views

CVE-2026-1373

The CVE-2026-1373 affects the WordPress plugin Easy Author Image (affected: all versions up to 1.7). It enables a Stored Cross-Site Scripting via the author_profile_picture_url parameter due to insufficient input sanitization and output escaping. Exploitation requires an authenticated user with S...

6.4CVSS5.7AI score0.00152EPSS
Exploits0References2
CVE
CVE
added 2026/02/19 4:36 a.m.25 views

CVE-2026-2284

CVE-2026-2284 concerns the News Element Elementor Blog Magazine plugin for WordPress (

5.4CVSS5.5AI score0.00211EPSS
Exploits0References3
CVE
CVE
added 2026/02/19 4:36 a.m.13 views

CVE-2026-0974

The CVE affects the WordPress plugin Orderable (Restaurant Online Ordering System) up to version 1.20.0. A missing capability check in the install_plugin function allows authenticated attackers with Subscriber-level access and above to install arbitrary plugins, which can lead to Remote Code Exec...

8.8CVSS5.8AI score0.00605EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/02/19 4:36 a.m.31 views

CVE-2025-14427 Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches <= 21.0.9 - Missing Authorization to Authenticated (Subscriber+) Email MFA Update

The Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the MfaEmailDisable action in all versions up to, and including, 21.0.9. This makes it possible for...

4.3CVSS0.00198EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/02/19 3:25 a.m.30 views

CVE-2025-12448 Smartsupp – live chat, AI shopping assistant and chatbots <= 3.9.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting

The Smartsupp – live chat, AI shopping assistant and chatbots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'code' parameter in all versions up to, and including, 3.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS0.00266EPSS
Exploits0References6
Patchstack
Patchstack
added 2026/02/19 12:5 a.m.8 views

WordPress Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches plugin <= 21.0.9 - Missing Authorization to Authenticated (Subscriber+) Email MFA Update vulnerability

Missing Authorization to Authenticated Subscriber+ Email MFA Update vulnerability discovered by shark3y in WordPress Plugin Shield Security versions = 21.0.9...

4.3CVSS5.5AI score0.00198EPSS
Exploits0References1Affected Software1
Patchstack
Patchstack
added 2026/02/18 10:46 p.m.8 views

WordPress Shopire plugin <= 1.0.57 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Install vulnerability

Missing Authorization to Authenticated Subscriber+ Limited Plugin Install vulnerability discovered by Ky0toFu in WordPress Theme Shopire versions = 1.0.57...

4.3CVSS5.5AI score0.00319EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/02/18 4:35 a.m.29 views

CVE-2025-12071 Frontend User Notes <= 2.1.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Note Modification

The Frontend User Notes plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.0 via the 'funpajaxmodifynotes' AJAX endpoint due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...

4.3CVSS0.00158EPSS
Exploits0References2
NVD
NVD
added 2026/02/17 12:16 a.m.10 views

CVE-2025-12062

The WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.8.6 via the fcloadtemplate function. This makes it possible for authenticated attackers, with Subscriber-leve...

8.8CVSS0.00723EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/02/07 1:13 p.m.7 views

CVE-2026-1499

The WP Duplicate plugin for WordPress is vulnerable to Missing Authorization leading to Arbitrary File Upload in all versions up to and including 1.1.8. This is due to a missing capability check on the processaddsite AJAX action combined with path traversal in the file upload functionality. This...

8.8CVSS6AI score0.0094EPSS
Exploits0References1
NVD
NVD
added 2026/02/07 9:15 a.m.6 views

CVE-2026-0555

The Premmerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'premmercewizardactions' AJAX endpoint in all versions up to, and including, 1.3.20. This is due to missing capability checks and insufficient input sanitization and output escaping on the state parameter. Thi...

6.4CVSS0.00244EPSS
Exploits0References6
Patchstack
Patchstack
added 2026/02/07 12:9 a.m.7 views

WordPress The Bucketlister plugin <= 0.1.5 - Missing Authorization to Authenticated (Subscriber+) Bucket List Modification vulnerability

Missing Authorization to Authenticated Subscriber+ Bucket List Modification vulnerability discovered by Ivan Cese in WordPress Plugin The Bucketlister versions = 0.1.5...

4.3CVSS5.4AI score0.00158EPSS
Exploits0References1Affected Software1
Patchstack
Patchstack
added 2026/02/03 11:16 a.m.8 views

WordPress EventPrime - Events Calendar, Bookings and Tickets plugin <= 3.4.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion vulnerability

WordPress EventPrime - Events Calendar, Bookings and Tickets plugin = 3.4.3 - Missing Authorization to Authenticated Subscriber+ Arbitrary Post Deletion vulnerability discovered by Lucio Sá in WordPress Plugin EventPrime versions = 3.4.3...

6.5CVSS5.4AI score0.00324EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder