Lucene search
+L

159 matches found

nuclei
nuclei
added yesterday86 views

Hotel Booking Lite < 4.8.5 - Arbitrary File Download & Deletion

The Hotel Booking Lite WordPress plugin before 4.8.5 does not validate file paths provided via user input, as well as does not have proper CSRF and authorisation checks, allowing unauthenticated users to download and delete arbitrary files on the server id: CVE-2023-5991 info: name: Hotel Booking...

9.8CVSS7.1AI score0.03313EPSS
Exploits2References2
nvd
nvd
added 2026/07/03 6:16 a.m.10 views

CVE-2026-9180

The MotoPress Appointment Booking plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 2.4.4. This is due to the POST /motopress/appointment/v1/bookings REST endpoint being registered with 'permissioncallback' = 'returntrue',...

5.3CVSS0.00342EPSS
Exploits0References6
cvelist
cvelist
added 2026/07/03 4:30 a.m.38 views

CVE-2026-9180 MotoPress Appointment Booking <= 2.4.4 - Unauthenticated Insecure Direct Object Reference to 'payment_details.booking_id' Parameter

The MotoPress Appointment Booking plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 2.4.4. This is due to the POST /motopress/appointment/v1/bookings REST endpoint being registered with 'permissioncallback' = 'returntrue',...

5.3CVSS0.00342EPSS
Exploits0References6
euvd
euvd
added 2026/07/03 4:30 a.m.7 views

EUVD-2026-41492

The MotoPress Appointment Booking plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 2.4.4. This is due to the POST /motopress/appointment/v1/bookings REST endpoint being registered with 'permissioncallback' = 'returntrue',...

5.3CVSS5.7AI score0.00342EPSS
Exploits0References6
cve
cve
added 2026/07/03 4:30 a.m.23 views

CVE-2026-9180

MotoPress Appointment Booking for WordPress (versions up to 2.4.4) is vulnerable to an Authorization Bypass via a user-controlled booking_id. The REST endpoint POST /motopress/appointment/v1/bookings is registered with a permissive permission_callback (return_true ), and createBooking() loads the...

5.3CVSS5.7AI score0.00342EPSS
Exploits0References6
ptsecurity
ptsecurity
added 2026/07/03 12:0 a.m.14 views

PT-2026-55499

Name of the Vulnerable Software and Affected Versions MotoPress Appointment Booking versions prior to 2.4.5 Description The plugin contains an authorization bypass issue allowing unauthenticated users to modify booking details. The POST /motopress/appointment/v1/bookings endpoint is accessible to...

5.3CVSS5.9AI score0.00342EPSS
Exploits0References10
patchstack
patchstack
added 2026/07/02 12:0 a.m.4 views

WordPress MotoPress Appointment Booking plugin <= 2.4.4 - Unauthenticated Insecure Direct Object Reference to 'payment_details.booking_id' Parameter vulnerability

Unauthenticated Insecure Direct Object Reference to 'paymentdetails.bookingid' Parameter vulnerability discovered by g0wthr in WordPress Plugin MotoPress Appointment Booking versions = 2.4.4...

5.3CVSS5.9AI score0.00342EPSS
Exploits0References1Affected Software1
nvd
nvd
added 2026/07/01 10:16 a.m.10 views

CVE-2026-13454

The MotoPress Appointment Booking plugin for WordPress is vulnerable to generic SQL Injection via the 's' parameter in all versions up to, and including, 2.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

6.5CVSS0.00361EPSS
Exploits0References6
cvelist
cvelist
added 2026/07/01 8:30 a.m.36 views

CVE-2026-13454 MotoPress Appointment Booking <= 2.4.5 - Authenticated (Staff+) SQL Injection via 's' Parameter

The MotoPress Appointment Booking plugin for WordPress is vulnerable to generic SQL Injection via the 's' parameter in all versions up to, and including, 2.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

6.5CVSS0.00361EPSS
Exploits0References6
cve
cve
added 2026/07/01 8:30 a.m.17 views

CVE-2026-13454

CVE-2026-13454 affects MotoPress Appointment Booking for WordPress (

6.5CVSS5.8AI score0.00361EPSS
Exploits0References6
patchstack
patchstack
added 2026/06/30 8:6 p.m.6 views

WordPress MotoPress Appointment Booking plugin <= 2.4.5 - Authenticated (Staff+) SQL Injection vulnerability

Authenticated Staff+ SQL Injection vulnerability discovered by MatilJ in WordPress Plugin MotoPress Appointment Booking versions = 2.4.5...

6.5CVSS5.8AI score0.00361EPSS
Exploits0References1Affected Software1
euvd
euvd
added 2026/06/26 3:32 p.m.8 views

EUVD-2025-210352

Subscriber Broken Access Control in Restaurant Menu by MotoPress = 2.4.11 versions...

4.3CVSS5.8AI score0.00243EPSS
Exploits0References2
nvd
nvd
added 2026/06/26 3:16 p.m.9 views

CVE-2026-57644

Contributor SQL Injection in Restaurant Menu by MotoPress = 2.4.10 versions...

8.5CVSS0.00211EPSS
Exploits0References1
nvd
nvd
added 2026/06/26 3:16 p.m.8 views

CVE-2025-63078

Subscriber Broken Access Control in Restaurant Menu by MotoPress = 2.4.11 versions...

4.3CVSS0.00243EPSS
Exploits0References1
cve
cve
added 2026/06/26 2:53 p.m.10 views

CVE-2026-57644

CVE-2026-57644 describes a SQL Injection in the WordPress plugin “Restaurant Menu by MotoPress” for versions

8.5CVSS5.8AI score0.00211EPSS
Exploits0References1
cvelist
cvelist
added 2026/06/26 2:53 p.m.31 views

CVE-2026-57644 WordPress Restaurant Menu by MotoPress plugin <= 2.4.10 - SQL Injection vulnerability

Contributor SQL Injection in Restaurant Menu by MotoPress = 2.4.10 versions...

8.5CVSS0.00211EPSS
Exploits0References1
cvelist
cvelist
added 2026/06/26 2:52 p.m.35 views

CVE-2025-63078 WordPress Restaurant Menu by MotoPress plugin <= 2.4.11 - Broken Access Control vulnerability

Subscriber Broken Access Control in Restaurant Menu by MotoPress = 2.4.11 versions...

4.3CVSS0.00243EPSS
Exploits0References1
cve
cve
added 2026/06/26 2:52 p.m.14 views

CVE-2025-63078

The CVE-2025-63078 entry concerns the WordPress plugin “Restaurant Menu by MotoPress” (MotoPress) &lt;= 2.4.11. Affected component is the plugin’s access control mechanism, with root cause described as Broken Access Control. The vulnerability is reported to affect users of the plugin in WordPress...

4.3CVSS5.8AI score0.00243EPSS
Exploits0References1
patchstack
patchstack
added 2026/06/26 2:12 p.m.6 views

WordPress Restaurant Menu by MotoPress plugin <= 2.4.11 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by daroo in WordPress Plugin Restaurant Menu by MotoPress versions = 2.4.11...

4.3CVSS5.8AI score0.00243EPSS
Exploits0Affected Software1
patchstack
patchstack
added 2026/06/26 1:13 p.m.8 views

WordPress Restaurant Menu by MotoPress plugin <= 2.4.10 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Baikuya in WordPress Plugin Restaurant Menu by MotoPress versions = 2.4.10...

8.5CVSS5.8AI score0.00211EPSS
Exploits0Affected Software1
Rows per page
Query Builder