CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

374 matches found

PublishPress Capabilities < 2.3.1 - Missing Authorization

The PublishPress Capabilities plugin for WordPress before 2.3.1 does not have proper authorization and CSRF checks when updating settings via the init hook, allowing unauthenticated attackers to update arbitrary blog options, such as setting the default role to administrator. id: CVE-2021-25032...

9.8CVSS7.4AI score0.81889EPSS

Exploits2References4

NVD•added 6 days ago•7 views

CVE-2026-45610

WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a cross-site request forgery vulnerability on the 2FA toggle. plugin/LoginControl/set.json.php accepts POST type=set2FA value=false, calls LoginControl::setUser2FAUser::getId, false on the session-authenticated user, and...

6.5CVSS0.00015EPSS

Exploits0References1

NVD•added 2026/03/06 6:15 a.m.•3 views

CVE-2026-2446

The PowerPack for LearnDash WordPress plugin before 1.3.0 does not have authorization and CRSF checks in an AJAX action, allowing unauthenticated users to update arbitrary WordPress options such as defaultrole etc and create arbitrary admin users...

9.8CVSS0.00147EPSS

Exploits0References1

RedhatCVE•added 2026/01/09 12:32 p.m.•7 views

CVE-2023-4251

The EventPrime WordPress plugin before 3.2.0 does not have CSRF checks when creating bookings, which could allow attackers to make logged in users create unwanted bookings via CSRF attacks...

4.3CVSS6.7AI score0.0014EPSS

Exploits2References1

RedhatCVE•added 2026/01/09 10:46 a.m.•5 views

CVE-2022-0634

The ThirstyAffiliates WordPress plugin before 3.10.5 lacks authorization checks in the tainsertexternalimage action, allowing a low-privilege user with a role as low as Subscriber to add an image from an external URL to an affiliate link. Further the plugin lacks csrf checks, allowing an attacker...

4.3CVSS6.6AI score0.00071EPSS

Exploits2References1

RedhatCVE•added 2026/01/09 10:44 a.m.•1 views

CVE-2022-0398

The ThirstyAffiliates Affiliate Link Manager WordPress plugin before 3.10.5 does not have authorisation and CSRF checks when creating affiliate links, which could allow any authenticated user, such as subscriber to create arbitrary affiliate links, which could then be used to redirect users to an...

5.4CVSS6.7AI score0.00087EPSS

Exploits2References1

RedhatCVE•added 2026/01/09 10:44 a.m.•7 views

CVE-2022-0363

The myCred WordPress plugin before 2.4.3.1 does not have any authorisation and CSRF checks in the mycred-tools-import-export AJAX action, allowing any authenticated users, such as subscribers, to call it and import mycred setup, thus creating badges, managing points or creating arbitrary posts...

4.3CVSS6.8AI score0.00087EPSS

Exploits1References1

RedhatCVE•added 2026/01/09 10:44 a.m.•6 views

CVE-2022-0444

The Backup, Restore and Migrate WordPress Sites With the XCloner Plugin WordPress plugin before 4.3.6 does not have authorisation and CSRF checks when resetting its settings, allowing unauthenticated attackers to reset them, including generating a new backup encryption key...

4.3CVSS6.9AI score0.00096EPSS

Exploits2References1

RedhatCVE•added 2026/01/07 9:20 a.m.•3 views

CVE-2024-2739

The Advanced Search WordPress plugin through 1.1.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.7CVSS6.8AI score0.00279EPSS

Exploits2References1

RedhatCVE•added 2026/01/07 9:19 a.m.•4 views

CVE-2024-2232

The lacks CSRF checks allowing a user to invite any user to any group including private groups...

8.1CVSS6.9AI score0.0035EPSS

Exploits1References1