CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Positive Technologies•added 2026/01/24 12:0 a.m.•6 views

PT-2026-4624

Name of the Vulnerable Software and Affected Versions WP Go Maps formerly WP Google Maps versions through 10.0.04 Description The WP Go Maps plugin for WordPress has an issue where data can be modified without proper authorization. This is due to a missing capability check within the...

5.3CVSS5.3AI score0.00234EPSS

NVD•added 2026/01/23 2:16 p.m.•5 views

CVE-2025-13921

The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to unauthorized modification or loss of data due to a missing capability check on the 'wedocsuserdocumentationhandlingcapabilities' function in all versions up to, and including, 2.1.1...

4.3CVSS0.00265EPSS

CVE•added 2026/01/23 1:24 p.m.•13 views

CVE-2025-13921

CVE-2025-13921 (weDocs for WordPress) : Wordfence and related feeds confirm that weDocs versions up to 2.1.16 expose an unauthenticated ability to modify or lose documentation data due to a missing capability check in wedocs_user_documentation_handling_capabilities. An authenticated attacker with...

4.3CVSS5.5AI score0.00265EPSS

Cvelist•added 2026/01/23 1:24 p.m.•29 views

CVE-2025-13921 weDocs <= 2.1.16 - Missing Authorization to Authenticated (Subscriber+) Documentation Post Update

4.3CVSS0.00265EPSS

ATTACKERKB•added 2026/01/23 1:24 p.m.•2 views

CVE-2025-13921

4.3CVSS5.4AI score0.00265EPSS

Exploits0References6

NVD•added 2026/01/23 1:15 p.m.•3 views

CVE-2025-14866

The Melapress Role Editor plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.1. This is due to a misconfigured capability check on the 'savesecondaryrolesfield' function. This makes it possible for authenticated attackers, with Subscriber-level...

8.8CVSS0.00365EPSS

Cvelist•added 2026/01/23 12:26 p.m.•28 views

CVE-2025-14866 Melapress Role Editor <= 1.1.1 - Improper Authorization to Authenticated (Subscriber+) Privilege Escalation via Secondary Role Assignment

8.8CVSS0.00365EPSS

Positive Technologies•added 2026/01/23 12:0 a.m.•6 views

PT-2026-4355

The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to unauthorized modification or loss of data due to a missing capability check on the 'wedocs user documentation handling capabilities' function in all versions up to, and including,...

4.3CVSS5.5AI score0.00265EPSS

Exploits0References6

RedhatCVE•added 2026/01/21 3:27 p.m.•8 views

CVE-2025-15347

The Creator LMS – The LMS for Creators, Coaches, and Trainers plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check in the getitemspermissionscheck function in all versions up to, and including, 1.1.12. This...

8.8CVSS5.7AI score0.00271EPSS

Exploits0References1

RedhatCVE•added 2026/01/21 4:22 a.m.•4 views

CVE-2025-14351

The Custom Fonts – Host Your Fonts Locally plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'BCFGoogleFontsCompatibility' class constructor function in all versions up to, and including, 2.1.16. This makes it possible for unauthenticated...

5.3CVSS5.5AI score0.00232EPSS

Exploits0References1

NVD•added 2026/01/20 3:20 p.m.•3 views

CVE-2026-0548

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized attachment deletion due to a missing capability check on the deleteexistinguserphoto function in all versions up to, and including, 3.9.4. This makes it possible for authenticated attackers, wi...

5.4CVSS0.00247EPSS

Cvelist•added 2026/01/20 2:26 p.m.•20 views

CVE-2026-0554 NotificationX <= 3.1.11 - Missing Authorization to Authenticated (Contributor+) Analytics Reset

The NotificationX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'regenerate' and 'reset' REST API endpoints in all versions up to, and including, 3.1.11. This makes it possible for authenticated attackers, with Contributor-level...

4.3CVSS0.00264EPSS

Cvelist•added 2026/01/20 2:26 p.m.•15 views

CVE-2025-15043 The Events Calendar <= 6.15.13 - Missing Authorization to Authenticated (Subscriber+) Data Migration Control

The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'startmigration', 'cancelmigration', and 'revertmigration' functions in all versions up to, and including, 6.15.13. This makes it possible for authenticated attackers, with...

5.4CVSS0.00188EPSS

Vulnrichment•added 2026/01/20 2:26 p.m.•3 views

CVE-2026-0548 Tutor LMS – eLearning and online course solution <= 3.9.4 - Missing Authorization to Authenticated (Subscriber+) Limited Attachment Deletion

5.4CVSS5.7AI score0.00247EPSS

Cvelist•added 2026/01/20 2:26 p.m.•16 views

CVE-2026-0548 Tutor LMS – eLearning and online course solution <= 3.9.4 - Missing Authorization to Authenticated (Subscriber+) Limited Attachment Deletion

5.4CVSS0.00247EPSS

NVD•added 2026/01/20 4:15 a.m.•3 views

CVE-2025-14351

5.3CVSS0.00232EPSS

Cvelist•added 2026/01/20 3:25 a.m.•18 views

CVE-2025-14351 Custom Fonts – Host Your Fonts Locally <= 2.1.16 - Missing Authorization to Unauthenticated Font Deletion

5.3CVSS0.00232EPSS

ATTACKERKB•added 2026/01/20 3:25 a.m.•4 views

CVE-2025-14351

5.3CVSS5.4AI score0.00232EPSS

CVE•added 2026/01/20 3:25 a.m.•16 views

CVE-2025-14351

CVE-2025-14351 concerns the WordPress plugin “Custom Fonts – Host Your Fonts Locally.” Wordfence’s vulnerability spotlight confirms a missing capability check in the constructor of the BCF_Google_Fonts_Compatibility class, affecting all versions up to and including 2.1.16. The result is unauthori...

5.3CVSS5.5AI score0.00232EPSS