CVE-2025-13558 Blog2Social <= 8.7.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Trashing

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'deleteUserCcDraftPost' function in all versions up to, and including, 8.7.0. This makes it possible for authenticated attackers, wi...

CVE-2025-13558

The CVE-2025-13558 entry concerns the WordPress plugin Blog2Social: Social Media Auto Post & Scheduler, affected in versions up to 8.7.0. The root cause is a missing capability check in the deleteUserCcDraftPost function, enabling authenticated users with Subscriber-level access (and above) to mo...

PT-2025-47997

The Autochat Automatic Conversation plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp ajax nopriv auycht saveCid' AJAX endpoint in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to...

PT-2025-48001

The Refund Request for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update refund status' function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Subscriber-level...

PT-2025-48011

The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get order by id function in all versions up to, and including, 14. This makes it possible for unauthenticated attacker...

PT-2025-48094

Name of the Vulnerable Software and Affected Versions AI Feeds plugin for WordPress versions through 1.0.11 Description The AI Feeds plugin for WordPress is susceptible to arbitrary file uploads because of a missing capability check in the actualizador git.php file. This allows unauthenticated...

PT-2025-48010

The Social Images Widget plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'options update' function in all versions up to, and including, 2.1. This makes it possible for unauthenticated attackers to delete the plugin's settings via a...

PT-2025-48093

Name of the Vulnerable Software and Affected Versions CIBELES AI plugin for WordPress versions through 1.10.8 Description The CIBELES AI plugin for WordPress has a flaw that allows unauthorized file uploads. This is due to a missing check for appropriate permissions within the actualizador git.ph...

PT-2025-47983

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'deleteUserCcDraftPost' function in all versions up to, and including, 8.7.0. This makes it possible for authenticated attackers, wi...

CVE-2025-13136

The GSheetConnector For Ninja Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'njform-google-sheet-config ' page in all versions up to, and including, 2.0.1. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2025-12877

The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to unauthorized modification od data due to a missing capability check on the pandingbloodrequestaction function in all versions up to, and including, 2.1.15. This makes it possible for...

CVE-2025-10054

The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ehcrmremoveagent' function in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, wit...

EUVD-2025-198534

The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to unauthorized modification od data due to a missing capability check on the pandingbloodrequestaction function in all versions up to, and including, 2.1.15. This makes it possible for...

EUVD-2025-198533

The GSheetConnector For Ninja Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'njform-google-sheet-config ' page in all versions up to, and including, 2.0.1. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2025-13136

The GSheetConnector For Ninja Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'njform-google-sheet-config ' page in all versions up to, and including, 2.0.1. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2025-12170

The Checkbox plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'wpajaxnoprivcheckboxcleanlog' AJAX endpoint in all versions up to, and including, 2.8.10. This makes it possible for unauthenticated attackers to clear log files...

CVE-2025-11815

The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the uipsavesiteoption function in all versions up to, and including, 3.5.08. This makes it possible for authenticate...

CVE-2025-11773

The Cryptocurrency Token, Launchpad Presale, ICO & IDO, Airdrop by TokenICO plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'saveDeployedContract' function in all versions up to, and including, 2.4.7. This makes it possible for...

CVE-2025-11003

The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'uipsaveuitemplate' function in all versions up to, and including, 3.5.08. This makes it possible for...

CVE-2025-12135

The WPBookit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'csscode' parameter in all versions up to, and including, 1.0.6 due to a missing capability check on the savecustomecode function. This makes it possible for unauthenticated attackers to inject arbitrary web...