5246 matches found
CVE-2025-15157 Starfish Review Generation & Marketing for WordPress <= 3.1.19 - Authenticated (Subscriber+) Arbitrary Options Update via srm_restore_options_defaults
The Starfish Review Generation & Marketing for WordPress plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'srmrestoreoptionsdefaults' function in all versions up to, and including, 3.1.19. This...
CVE-2026-1104
The FastDup – Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to unauthorized backup creation and download due to a missing capability check on REST API endpoints in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers, with...
CVE-2026-1671
The Activity Log for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the winteractivitylogaction function in all versions up to, and including, 1.2.8. This makes it possible for authenticated attackers, with Subscriber-level access...
CVE-2026-1537
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the loadstep function in all versions up to, and including, 5.2.6. This makes it possible for unauthenticated attackers to vie...
CVE-2025-15520 RegistrationMagic <= 6.0.7.2 - Subscriber+ Sensitive Data Disclosure
The RegistrationMagic WordPress plugin before 6.0.7.2 checks nonces but not capabilities, allowing for the disclosure of some sensitive data to subscribers and above...
PT-2026-8033
The Starfish Review Generation & Marketing for WordPress plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'srm restore options defaults' function in all versions up to, and including, 3.1.19. Thi...
CVE-2026-1748
The Invoct – PDF Invoices & Billing for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access...
CVE-2026-2295
The WPZOOM Addons for Elementor – Starter Templates & Widgets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'ajaxpostgridloadmore' function in all versions up to, and including, 1.3.2. This makes it possible for unauthenticated attacker...
CVE-2026-1786
The Twitter posts to Blog plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'dgtwoptions' function in all versions up to, and including, 1.11.25. This makes it possible for unauthenticated attackers to update plugin settings including...
CVE-2026-1671
The Activity Log for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the winteractivitylogaction function in all versions up to, and including, 1.2.8. This makes it possible for authenticated attackers, with Subscriber-level access...
CVE-2026-1537
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the loadstep function in all versions up to, and including, 5.2.6. This makes it possible for unauthenticated attackers to vie...
CVE-2026-1537
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the loadstep function in all versions up to, and including, 5.2.6. This makes it possible for unauthenticated attackers to vie...
CVE-2026-1537 LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.6 - Missing Authorization to Booking Details Exposure
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the loadstep function in all versions up to, and including, 5.2.6. This makes it possible for unauthenticated attackers to vie...
PT-2026-7839
The Activity Log for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the winter activity log action function in all versions up to, and including, 1.2.8. This makes it possible for authenticated attackers, with Subscriber-level acce...
CVE-2025-13391
The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO Premium plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'unicporemovefile' function in all versions up to, and including, 4.9.60. This makes it possible for...
CVE-2026-2295
The WPZOOM Addons for Elementor – Starter Templates & Widgets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'ajaxpostgridloadmore' function in all versions up to, and including, 1.3.2. This makes it possible for unauthenticated attacker...
CVE-2026-2295
The WPZOOM Addons for Elementor – Starter Templates & Widgets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'ajaxpostgridloadmore' function in all versions up to, and including, 1.3.2. This makes it possible for unauthenticated attacker...
CVE-2026-2295
CVE-2026-2295 affects the WordPress plugin “WPZOOM Addons for Elementor – Starter Templates & Widgets” up to version 1.3.2, exposing protected post titles and excerpts via an unauthenticated request to ajax_post_grid_load_more due to a missing capability check. Multiple sources (Wordfence, CVE en...
CVE-2026-1786
CVE-2026-1786 : The Twitter posts to Blog plugin for WordPress is vulnerable due to a missing capability check on the internal dg_tw_options function, affecting all versions up to and including 1.11.25. This allows unauthenticated attackers to modify plugin settings (including Twitter API credent...
CVE-2026-1786 Twitter posts to Blog <= 1.11.25 - Missing Authorization to Unauthenticated Plugin Settings Update
The Twitter posts to Blog plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'dgtwoptions' function in all versions up to, and including, 1.11.25. This makes it possible for unauthenticated attackers to update plugin settings including...