PT-2026-20596

Name of the Vulnerable Software and Affected Versions CTX Feed – WooCommerce Product Feed Manager plugin for WordPress versions through 6.6.11 Description The CTX Feed – WooCommerce Product Feed Manager plugin for WordPress has a flaw that allows unauthorized arbitrary plugin installation. This i...

PT-2026-20616

The Mega Store Woocommerce theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the setup widgets function in core/includes/importer/whizzie.php in all versions up to, and including, 5.9. This makes it possible for authenticated attackers, wi...

PT-2026-20597

The Shopire theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the shopire admin install plugin function in all versions up to, and including, 1.0.57. This makes it possible for authenticated attackers, with Subscriber-level access and abov...

PT-2026-20623

Name of the Vulnerable Software and Affected Versions BackWPup – WordPress Backup & Restore Plugin versions prior to 5.6.3 Description The BackWPup – WordPress Backup & Restore Plugin for WordPress is susceptible to unauthorized data modification, potentially leading to privilege escalation. A...

PT-2026-20617

The Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the MfaEmailDisable action in all versions up to, and including, 21.0.9. This makes it possible for...

PT-2026-20615

The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the sq ajax uninstall function in all versions up to, and including, 12.4.14. This makes it possible for authenticated attackers, with Subscriber-level acces...

PT-2026-20631

The Orderable – WordPress Restaurant Online Ordering System and Food Ordering Plugin plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the 'install plugin' function in all versions up to, and including, 1.20.0. This makes it possible for...

CVE-2026-2608

The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.5.32. This makes it possible for authenticated attackers, with Contributor-level access...

CVE-2026-1942

CVE-2026-1942 affects Blog2Social: Social Media Auto Post & Scheduler for WordPress (versions up to 8.7.4). The root cause is a missing capability check in the b2s_curation_draft AJAX action: the curationDraft() function only verifies current_user_can('read') and does not require edit_post permis...

CVE-2026-1942 Blog2Social: Social Media Auto Post & Scheduler <= 8.7.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Modification

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the b2scurationdraft AJAX action in all versions up to, and including, 8.7.4. The curationDraft function only verifies...

CVE-2026-2127 SiteOrigin Widgets Bundle <= 1.70.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution

The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to unauthorized arbitrary shortcode execution in all versions up to, and including, 1.70.4. This is due to a missing capability check on the siteoriginwidgetpreviewwidgetaction function which is registered via the...

CVE-2025-12356

The Tickera – Sell Tickets & Manage Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wpajaxchangeticketstatus' AJAX endpoint in all versions up to, and including, 3.5.6.4. This makes it possible for authenticated attackers,...

CVE-2025-12356

CVE-2025-12356 concerns Tickera – Sell Tickets & Manage Events for WordPress. The issue is an unauthorized data modification vulnerability caused by a missing capability check on the wp_ajax_change_ticket_status endpoint. It affects all versions up to and including 3.5.6.4, enabling authenticated...

CVE-2025-12356

The Tickera – Sell Tickets & Manage Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wpajaxchangeticketstatus' AJAX endpoint in all versions up to, and including, 3.5.6.4. This makes it possible for authenticated attackers,...

CVE-2026-1925

The EmailKit – Email Customizer for WooCommerce & WP plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'updatetemplatedata' function in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with...

CVE-2026-1925

The EmailKit – Email Customizer for WooCommerce & WP plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'updatetemplatedata' function in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with...

CVE-2025-12075

The Order Splitter for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wostroubleshooting' AJAX endpoint in all versions up to, and including, 5.3.5. This makes it possible for authenticated attackers, with Subscriber-level...

PT-2026-20291

Name of the Vulnerable Software and Affected Versions EmailKit – Email Customizer for WooCommerce & WP versions prior to 1.6.3 Description The EmailKit – Email Customizer for WooCommerce & WP plugin for WordPress has a flaw that allows unauthorized data modification. This is due to a missing...

PT-2026-20222

The Tickera – Sell Tickets & Manage Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp ajax change ticket status' AJAX endpoint in all versions up to, and including, 3.5.6.4. This makes it possible for authenticated attacker...

PT-2026-20352

The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.6.1. This is due to a missing capability check in the process image data ajax callback function which handles the kadence import process image data AJAX...