126 matches found
CVE-2026-15350
The The Cache Purger plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.3.20. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level...
EUVD-2026-44884
The The Cache Purger plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.3.20. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level...
CVE-2026-15350
CVE-2026-15350 affects the WordPress plugin The Cache Purger (up to version 2.3.20). The vulnerability is an authorization bypass that allows authenticated users with subscriber-level access or higher to permanently truncate the plugin’s cache-purge audit log (wp-content/purge.log), destroying th...
CVE-2026-12385
CVE-2026-12385 affects the Smart Slider 3 WordPress plugin up to version 3.5.1.37. The issue is a Sensitive Information Exposure via the keyword parameter, enabling authenticated attackers with contributor-level access and above to extract titles and full content excerpts from private, draft, pen...
CVE-2026-13250
The Solace Extra plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.5.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to permanently delete all...
EUVD-2026-43123
The Points and Rewards for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.10.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with...
CVE-2026-10628
The CVE concerns the WordPress plugin Points and Rewards for WooCommerce (affected: all versions up to 2.10.0). It describes an authorization bypass in which authenticated users with subscriber-level access and above can perform arbitrary modifications via multiple AJAX actions. Core implications...
CVE-2026-10628 Points and Rewards for WooCommerce <= 2.10.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via Multiple AJAX Actions
The Points and Rewards for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.10.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with...
EUVD-2026-43025
The Eventin – Event Calendar, Event Registration, Tickets & Booking AI Powered plugin for WordPress is vulnerable to authorization bypass due to a regression in versions from 4.0.26 up to and including 4.1.15. This is due to the plugin not properly verifying that a user is authorized to perform a...
EUVD-2026-42851
The Import and export users and customers plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4.0 via the emailtemplateselected. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract the...
CVE-2026-11992
The Easy Appointments plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.12.27. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with author-level...
CVE-2026-9021
The CVE concerns the WordPress plugin Easy Invoice (WordPress plugin) with vulnerability in versions up to 2.1.19. The root cause is Missing Authorization via AJAX actions easy_invoice_accept_quote and easy_invoice_decline_quote , registered with wp_ajax_nopriv_ hooks and relying on a quote-scope...
CVE-2026-9021
The Easy Invoice plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.19. This is due to the plugin registering the easyinvoiceacceptquote and easyinvoicedeclinequote AJAX actions via wpajaxnopriv hooks and relying solely on a quote-scoped nonce that i...
EUVD-2026-42566
The Employee, Leave and Recruitment Management System – Crew HRM plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...
CVE-2026-9237 Employee, Leave and Recruitment Management System <= 1.2.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Job Deletion via crewhrm_singleJobAction AJAX Action
The Employee, Leave and Recruitment Management System – Crew HRM plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...
CVE-2026-14245
The miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to, and including, 5.5.1. This is due to the umresetpasswordprocesshook function performing no server-side...
CVE-2026-12406
The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.3.7. This is due to the plugin not properly verifying that a user is authorized to perform an...
CVE-2026-9725
The CVE-2026-9725 issue affects the Printcart Web to Print Product Designer for WooCommerce plugin for WordPress (versions
EUVD-2026-41488
The Printcart Web to Print Product Designer for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 2.5.2 This is due to insufficient path validation in the storedesigndata function, which constructs a filesystem path from the user-supplied...
CVE-2026-12134
The CVE concerns the WordPress plugin JoomSport – for Sports: Team & League, Football, Hockey & more (up to and including version 5.7.8). It describes an authorization bypass where authenticated users with subscriber-level access and above can create arbitrary season groups or modify group names,...