32 matches found
EUVD-2026-33408
Shopper: Missing authorization on Product admin Livewire sub-form components...
Shopper: Missing authorization on Product admin Livewire sub-form components
Impact Sub-form Livewire components used in the product editor Edit, Inventory, Seo, Shipping, Files had no authorization on their store method. Any authenticated panel user, regardless of role, could mutate any product's pricing, stock, SEO metadata, shipping dimensions, and attached media witho...
CVE-2026-47742
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Sub-form Livewire components used in the product editor Edit, Inventory, Seo, Shipping, Files had no authorization on their store method. Any authenticated panel user, regardless of role, could mutate any product's pricing, stock, SEO...
PT-2026-44943
Name of the Vulnerable Software and Affected Versions Shopper versions prior to 2.8.0 Description Sub-form Livewire components within the product editor—specifically those handling Edit, Inventory, Seo, Shipping, and Files—lack authorization on their store method. This allows any authenticated...
CVE-2026-7651
The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.5. This is due to missing...
PT-2026-44204
The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.5. This is due to missing...
OpenClaw 安全漏洞
OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw from 2026.4.9 to 2026.4.10 contained a security vulnerability. This vulnerability stemmed from a bypass of the sender policy in the outbound host media attachment reading assistant, which could...
EUVD-2026-9526
The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.1.17. This is due to the deleteFile method in the Uploader class lacking nonce verification and capability checks. The AJAX action is registered via...
CVE-2026-2899
The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.1.17. This is due to the deleteFile method in the Uploader class lacking nonce verification and capability checks. The AJAX action is registered via...
CVE-2026-2899 Fluent Forms Pro Add On Pack <= 6.1.17 - Missing Authorization to Unauthenticated Arbitrary Attachment Deletion
The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.1.17. This is due to the deleteFile method in the Uploader class lacking nonce verification and capability checks. The AJAX action is registered via...
CVE-2026-2899
CVE-2026-2899 affects the Fluent Forms Pro Add On Pack for WordPress up to version 6.1.17. The root cause is Missing Authorization in the Uploader::deleteFile() path, due to lack of nonce verification and capability checks. The AJAX action is registered via addPublicAjaxAction(), creating both wp...
Time-of-check Time-of-use (TOCTOU) Race Condition
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition via the media attachment handling. An attacker can access files outside the intended sandbox boundary by exploiting a race condition betwee...
CVE-2025-12081
The ACF Photo Gallery Field plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the "acfphotogalleryeditsave" function in all versions up to, and including, 3.0. This makes it possible for authenticated attackers, with subscriber level acce...
PT-2026-20577
Name of the Vulnerable Software and Affected Versions ACF Photo Gallery Field versions prior to 3.1 Description The ACF Photo Gallery Field plugin for WordPress has a flaw that allows unauthorized modification of data. This is due to a missing capability check within the acf photo gallery edit sa...
CVE-2025-14629
CVE-2025-14629 affects the WordPress plugin Alchemist Ajax Upload . The vulnerability is a missing capability check in the delete_file function, allowing unauthenticated users to delete arbitrary WordPress media attachments in all versions up to and including 1.1. The Wordfence report catalogs th...
PT-2026-4569
The Alchemist Ajax Upload plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the 'delete file' function in all versions up to, and including, 1.1. This makes it possible for unauthenticated attackers to delete arbitrary WordPress media...
WordPress plugin Alchemist Ajax: Security Vulnerabilities
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...
WordPress plugin Guest posting / Frontend Posting / Front Editor – WP Front User Submit 安全漏洞
...
WordPress Filebird Plugin Missing Authorization Vulnerability
WordPress Filebird Plugin is a media library management plugin for WordPress that allows users to organize media files by creating folders and subfolders to improve the efficiency of media library management. WordPress Filebird Plugin suffers from a missing authorization vulnerability, which can ...
CVE-2025-13498 Download Manager <= 3.3.32 - Missing Authorization to Authenticated (Subscriber+) Media Attachment Password Disclosure
The Download Manager plugin for WordPress is vulnerable to unauthorized access of sensitive information in all versions up to, and including, 3.3.32. This is due to missing authorization and capability checks on the wpdmmediaaccess AJAX action. This makes it possible for authenticated attackers,...