Lucene search
K

353 matches found

Cvelist
Cvelist
added 2026/01/20 2:26 p.m.22 views

CVE-2026-0554 NotificationX <= 3.1.11 - Missing Authorization to Authenticated (Contributor+) Analytics Reset

The NotificationX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'regenerate' and 'reset' REST API endpoints in all versions up to, and including, 3.1.11. This makes it possible for authenticated attackers, with Contributor-level...

4.3CVSS0.00264EPSS
Exploits0References3
CVE
CVE
added 2026/01/20 3:25 a.m.18 views

CVE-2025-14351

CVE-2025-14351 concerns the WordPress plugin “Custom Fonts – Host Your Fonts Locally.” Wordfence’s vulnerability spotlight confirms a missing capability check in the constructor of the BCF_Google_Fonts_Compatibility class, affecting all versions up to and including 2.1.16. The result is unauthori...

5.3CVSS5.5AI score0.00232EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/01/17 5:22 a.m.11 views

CVE-2025-14384

The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the /aioseo/v1/ai/credits REST route in all versions up to, and including, 4.9.2. This makes it possible for...

4.3CVSS5AI score0.00226EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/01/16 12:0 a.m.5 views

PT-2026-3213

The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the /aioseo/v1/ai/credits REST route in all versions up to, and including, 4.9.2. This makes it possible for...

4.3CVSS5AI score0.00226EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/01/14 5:28 a.m.30 views

CVE-2025-14880 Netcash WooCommerce Payment Gateway <= 4.1.3 - Missing Authorization to Unauthenticated Order Status Modification

The Netcash WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handlereturnurl function in all versions up to, and including, 4.1.3. This makes it possible for unauthenticated attackers to mark any WooCommer...

5.3CVSS0.00227EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/01/14 12:0 a.m.4 views

PT-2026-2839

The Aplazo Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the check success response function in all versions up to, and including, 1.4.2. This makes it possible for unauthenticated attackers to set any WooCommerce orde...

5.3CVSS5.3AI score0.00232EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/01/10 7:3 a.m.4 views

CVE-2025-14948 miniOrange OTP Verification and SMS Notification for WooCommerce <= 4.3.8 - Missing Authorization to Unauthenticated Notification Settings Modification

The miniOrange OTP Verification and SMS Notification for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the enablewcsmsnotification AJAX action in all versions up to, and including, 4.3.8. This makes it possible for...

5.3CVSS4.9AI score0.00227EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/01/10 12:0 a.m.7 views

PT-2026-1760

Name of the Vulnerable Software and Affected Versions miniOrange OTP Verification and SMS Notification for WooCommerce plugin for WordPress versions through 4.3.8 Description The miniOrange OTP Verification and SMS Notification for WooCommerce plugin for WordPress is subject to unauthorized data...

5.3CVSS6.2AI score0.00227EPSS
Exploits0References8
NVD
NVD
added 2026/01/09 12:15 p.m.7 views

CVE-2025-13717

The Contact Form vCard Generator plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wpgvccfcheckdownloadrequest' function in all versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to export sensitive...

5.3CVSS0.00321EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/01/09 9:16 a.m.4 views

CVE-2025-13496

The Moosend Landing Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the moosendlandingsauthget function in all versions up to, and including, 1.1.6. This makes it possible for authenticated attackers, with Subscriber-level access...

5.3CVSS5.1AI score0.00277EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/01/09 8:46 a.m.9 views

CVE-2025-11877

The User Activity Log plugin is vulnerable to a limited options update in versions up to, and including, 2.2. The failed-login handler 'ualshookwploginfailed' lacks a capability check and writes failed usernames directly into updateoption calls. This makes it possible for unauthenticated attacker...

7.5CVSS5.8AI score0.00335EPSS
Exploits1References1
NVD
NVD
added 2026/01/08 7:15 a.m.7 views

CVE-2025-13679

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getorderbyid function in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with...

6.5CVSS0.00207EPSS
Exploits0References2
CVE
CVE
added 2026/01/08 7:4 a.m.15 views

CVE-2025-13679

CVE-2025-13679 (Tutor LMS) : A missing capability check on get_order_by_id() in Tutor LMS ≤ 3.9.3 allows authenticated users with Subscriber+ privileges to enumerate orders and exfiltrate student PII (name, email, phone, billing address). WordPress plugin: Tutor LMS – eLearning and online course ...

6.5CVSS4.7AI score0.00207EPSS
Exploits0References2
NVD
NVD
added 2026/01/07 12:16 p.m.4 views

CVE-2025-13419

The Guest posting / Frontend Posting / Front Editor – WP Front User Submit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/bfe/v1/revert' REST API endpoint in all versions up to, and including, 5.0.0. This makes it possibl...

5.3CVSS0.0023EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/01/07 9:19 a.m.5 views

CVE-2025-5919

The Appointment Booking and Scheduling Calendar Plugin – WP Timetics plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the update and registerroutes functions in all versions up to, and including, 1.0.36. This makes it possible...

6.5CVSS5.2AI score0.0021EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/01/07 9:16 a.m.6 views

CVE-2025-13964

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the catchlpajax function in all versions up to, and including, 4.3.2. This makes it possible for unauthenticated attackers to modify course contents b...

5.3CVSS5.3AI score0.00232EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/01/07 12:0 a.m.13 views

PT-2026-1584

Name of the Vulnerable Software and Affected Versions User Activity Log plugin versions prior to and including 2.2 Description The User Activity Log plugin has an issue where the failed-login handler ual shook wp login failed does not perform a capability check. This allows unauthenticated...

7.5CVSS6.5AI score0.00335EPSS
Exploits1References7
OSV
OSV
added 2026/01/06 9:15 a.m.4 views

CVE-2025-9294

The Quiz and Survey Master QSM – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the qsmdashboarddeleteresult function in all versions up to, and including, 10.3.1. This makes it possible for authenticated attackers,...

4.3CVSS5.8AI score0.00193EPSS
Exploits0References2
NVD
NVD
added 2026/01/06 9:15 a.m.5 views

CVE-2025-13964

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the catchlpajax function in all versions up to, and including, 4.3.2. This makes it possible for unauthenticated attackers to modify course contents b...

5.3CVSS0.00232EPSS
Exploits0References3
NVD
NVD
added 2026/01/06 8:15 a.m.6 views

CVE-2025-13812

The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the gamipressajaxgetposts and gamipressajaxgetusers functions in all versions up to, and including...

4.3CVSS0.00172EPSS
Exploits0References2
Rows per page
Query Builder