CVE-2026-1925

The EmailKit – Email Customizer for WooCommerce & WP plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on update_template_data in all versions up to 1.6.2. Authenticated attackers with Subscriber-level access and above can modify the title of a...

CVE-2026-1925

The EmailKit – Email Customizer for WooCommerce & WP plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'updatetemplatedata' function in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with...

CVE-2025-12071

CVE-2025-12071 — WordPress Frontend User Notes plugin vulnerable to Insecure Direct Object Reference. The flaw affects versions up to 2.1.0 and stems from missing validation on a user-controlled key in the funp_ajax_modify_notes endpoint, enabling authenticated attackers with Subscriber-level acc...

CVE-2025-12071 Frontend User Notes <= 2.1.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Note Modification

The Frontend User Notes plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.0 via the 'funpajaxmodifynotes' AJAX endpoint due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...

CVE-2025-12071 Frontend User Notes <= 2.1.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Note Modification

The Frontend User Notes plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.0 via the 'funpajaxmodifynotes' AJAX endpoint due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...

WordPress Business Directory Plugin plugin <= 6.4.20 - Missing Authorization to Unauthenticated Arbitrary Listing Modification vulnerability

Missing Authorization to Unauthenticated Arbitrary Listing Modification vulnerability discovered by Sein Linn in WordPress Plugin Business Directory versions = 6.4.20...

WordPress EventPrime plugin <= 4.2.8.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Event Modification via 'event_id' Parameter vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Event Modification via 'eventid' Parameter vulnerability discovered by Supoj Polsawas sp0x5ec in WordPress Plugin EventPrime versions = 4.2.8.4...

PT-2026-20291

Name of the Vulnerable Software and Affected Versions EmailKit – Email Customizer for WooCommerce & WP versions prior to 1.6.3 Description The EmailKit – Email Customizer for WooCommerce & WP plugin for WordPress has a flaw that allows unauthorized data modification. This is due to a missing...

CVE-2025-70064

PHPGurukul Hospital Management System v4.0 contains a Privilege Escalation vulnerability. A low-privileged user Patient can directly access the Administrator Dashboard and all sub-modules e.g., User Logs, Doctor Management by manually browsing to the /admin/ directory after authentication. This...

CVE-2025-70064

PHPGurukul Hospital Management System v4.0 contains a Privilege Escalation vulnerability. A low-privileged user Patient can directly access the Administrator Dashboard and all sub-modules e.g., User Logs, Doctor Management by manually browsing to the /admin/ directory after authentication. This...

PT-2026-20293

Name of the Vulnerable Software and Affected Versions YayMail – WooCommerce Email Customizer plugin for WordPress versions through 4.3.2 Description The YayMail – WooCommerce Email Customizer plugin for WordPress is susceptible to unauthorized data modification, potentially leading to privilege...

PT-2026-20363

The Business Directory Plugin for WordPress is vulnerable to authorization bypass due to a missing authorization check in all versions up to, and including, 6.4.20. This makes it possible for unauthenticated attackers to modify arbitrary listings, including changing titles, content, and email...

PT-2026-20290

The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.0 via the wpo ips edi save order customer peppol identifiers AJAX action due to missing capability checks and order ownership validatio...

SourceCodester Customer Support System 安全漏洞

The SourceCodester Customer Support System is an open-source customer support system developed by SourceCodester. Version 1.0 of the SourceCodester Customer Support System contains security vulnerabilities. These vulnerabilities stem from the AJAX scheduler in the ajax.php file, which lacks...

PT-2026-20379

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the b2s curation draft AJAX action in all versions up to, and including, 8.7.4. The curationDraft function only verifies current user...

PT-2026-20218

Name of the Vulnerable Software and Affected Versions Frontend User Notes plugin for WordPress versions up to and including 2.1.0 Description The Frontend User Notes plugin for WordPress contains a flaw that allows authenticated attackers with Subscriber-level access or higher to modify notes tha...

WordPress PDF Invoices & Packing Slips for WooCommerce plugin <= 5.6.0 - Missing Authorization to Authenticated (Subscriber+) Peppol Identifier Modification vulnerability

Missing Authorization to Authenticated Subscriber+ Peppol Identifier Modification vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin WooCommerce PDF Invoices & Packing Slips versions = 5.6.0...

WordPress Frontend User Notes plugin <= 2.1.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Note Modification vulnerability

Insecure Direct Object Reference to Authenticated Subscriber+ Arbitrary Note Modification vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin Frontend User Notes versions = 2.1.0...

Malicious code in pywin-simple-gui (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 43b40c0dbbbc187822a28a401194873adc73d13e531f2789c4227374f7ec9e26 The package pretends to be a development helper but, in fact, downloads a remote executable. Dynamic analysis reveals actions like disabling Windows Defender a...

CVE-2025-36183

IBM watsonx.data 2.2 through 2.2.1 IBM Lakehouse could allow a privileged user to upload malicious files that could be executed server to modify limited files or data...