CVE-2026-3462

CVE-2026-3462 affects the Frisbii Pay plugin for WordPress (all versions up to 1.8.9). The vulnerability arises from missing capability checks on upload_csv and process_batch, enabling authenticated attackers with Subscriber-level access or higher to modify data by uploading arbitrary CSVs and ov...

EUVD-2026-39958

The Frisbii Pay plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'uploadcsv' and 'processbatch' functions in all versions up to, and including, 1.8.9. This makes it possible for authenticated attackers, with Subscriber-level access an...

CVE-2026-12471

The CVE concerns the Spexo WordPress theme. A missing capability check in the activate_plugin function affects all versions up to and including 2.0.11, allowing authenticated attackers with Subscriber-level access and above to activate a limited set of plugins. The information from connected docu...

EUVD-2026-39954

The Spexo theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the activateplugin function in all versions up to, and including, 2.0.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate a limited set o...

CVE-2026-12415

The CVE concerns the WordPress plugin Invoice Generator. Vulnerable in versions up to 1.0.0 due to a missing capability check on the pravel_invoice_edit_account() AJAX action. The handler is exposed via wp_ajax_nopriv_pravel_invoice_edit_account and accepts attacker-controlled user_id and user_em...

Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit - Broken Access Control

The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the installoractivateaddonplugins function and a weak nonce hash in all...

HyperComments <= 1.2.2 - Arbitrary Options Update

The HyperComments plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the hcrequesthandler function in all versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to...

CVE-2026-12094

The Advanced Contact Form 7 - Compact DB plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the cf7cdbajaxdeleteuser function in versions up to, and including, 1.0.0. The handler is registered against both wpajaxcf7cdbdelete and...

CVE-2026-9710

The CVE covers the premium Cornerstone WordPress component bundled with X Theme, affected versions before 7.8.8. Root cause: a CSS-preview request handler did not enforce capability checks and exposed the nonce to every logged-in user on wp-admin pages. Impact: any authenticated user can evaluate...

EUVD-2026-38674

The SearchPlus plugin for WordPress is vulnerable to unauthorized modification and deletion of data in versions up to, and including, 1.7.1. This is due to a missing capability check and missing nonce validation on the searchplussavetokenactioncallback and searchplusresettokenactioncallback...

PT-2026-51680

Name of the Vulnerable Software and Affected Versions Assistio versions prior to 1.1.3 Description The Assistio plugin for WordPress allows authenticated users with Subscriber-level access and above to perform unauthorized data modification. This occurs because the assistio plugin delete assistio...

CVE-2026-2381

The WooCommerce Stripe Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxpayfororder function in all versions up to, and including, 10.7.0 This is due to a missing order ownership or orderkey verification when...

CVE-2026-9187

The Abandoned Contact Form 7 plugin for WordPress is vulnerable to unauthorized arbitrary post deletion in versions up to, and including, 2.2. This is due to a missing capability check and missing nonce validation in the actionremoveabandoned function, which is registered to both the...

CVE-2026-5149 RTMKit <= 2.0.7 - Authenticated (Contributor+) Missing Authorization to Arbitrary Form Submission Access via 'entries_id' Parameter

The RTMKit plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.7 This is due to the getsubmissioncontent AJAX endpoint lacking a capability check to verify that a user has permission to access the requested form submission data. This makes it...

CVE-2026-5149

The RTMKit plugin for WordPress is vulnerable to Incorrect Authorization up to version 2.0.7 due to get_submission_content lacking a capability check, enabling authenticated attackers with Contributor-level access to view arbitrary form submissions by iterating the entries_id parameter. Affected:...

EUVD-2026-37032

The Abandoned Contact Form 7 plugin for WordPress is vulnerable to unauthorized arbitrary post deletion in versions up to, and including, 2.2. This is due to a missing capability check and missing nonce validation in the actionremoveabandoned function, which is registered to both the...

PT-2026-49613

The RTMKit plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.7 This is due to the get submission content AJAX endpoint lacking a capability check to verify that a user has permission to access the requested form submission data. This makes it...

PT-2026-49620

Name of the Vulnerable Software and Affected Versions Abandoned Contact Form 7 versions prior to 2.3 Description The plugin allows unauthenticated attackers to permanently delete arbitrary posts, pages, or other content on a site. This occurs because the action remove abandoned function, register...

CVE-2026-1291 Meow Gallery <= 5.4.4 - Missing Authorization to Authenticated (Author+) Shortcode creation

The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/saveshortcode in all versions up to, and including, 5.4.4 This makes it possible for authenticated attackers, with...

CVE-2026-4058

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the usersubscriptioncancel function in all versions up to, and including, 4.3.2. Thi...