CVE-2026-8684 MotoPress Hotel Booking <= 6.0.1 - Missing Authorization to Unauthenticated Arbitrary Booking Notes Modification via mphb_update_booking_notes AJAX Action

The MotoPress Hotel Booking plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite or...

CVE-2026-7249

The Location Weather plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the splwupdateblockoptions and lwpcleanweathertransients functions in all versions up to, and including, 3.0.2. This makes it possible for authenticated attackers, with...

CVE-2026-4807

The Appointment Booking Calendar plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.6.10.6. This is due to a flawed authorization logic in the noncepermissionscheck method combined with the public exposure of a site-wide reusable nonce. The plugin expose...

EUVD-2026-28236

The Appointment Booking Calendar plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.6.10.6. This is due to a flawed authorization logic in the noncepermissionscheck method combined with the public exposure of a site-wide reusable nonce. The plugin expose...

CVE-2026-4024

Technical details about CVE-2026-4024 are not provided in the connected documents. Public specifics (affected versions, impact, fixes) require additional sources; monitor for updates.

CVE-2026-4024 Royal Addons for Elementor <= 1.7.1056 - Missing Authorization to Unauthenticated Form Action Meta Modification

The Royal Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wprupdateformactionmeta AJAX action in all versions up to, and including, 1.7.1056. The handler is registered on both wpajax and wpajaxnopriv hooks, maki...

PT-2026-31882

The YITH WooCommerce Wishlist WordPress plugin before 4.13.0 does not properly validate wishlist ownership in the save title AJAX handler before allowing wishlist renaming operations. The function only checks for a valid nonce, which is publicly exposed in the page source of the /wishlist/ page,...

EUVD-2026-20842

The Ziggeo plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.1.1. The wpajaxziggeoajax handler only verifies a nonce checkajaxreferer but performs no capability checks via currentusercan. Furthermore, the nonce 'ziggeoajaxnonce' is exposed to all...

CVE-2026-4124

The Ziggeo plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.1.1. The wpajaxziggeoajax handler only verifies a nonce checkajaxreferer but performs no capability checks via currentusercan. Furthermore, the nonce 'ziggeoajaxnonce' is exposed to all...

PT-2026-31569

Name of the Vulnerable Software and Affected Versions Ziggeo plugin for WordPress versions through 3.1.1 Description The Ziggeo plugin for WordPress is susceptible to missing authorization checks. The wp ajax ziggeo ajax handler verifies a nonce but does not confirm user capabilities using curren...

CVE-2026-3550 RockPress <= 1.0.17 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via AJAX Actions

The RockPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.17. This is due to missing capability checks on multiple AJAX actions rockpressimport, rockpressimportstatus, rockpresslastimport, rockpressresetimport, and rockpresscheckservices...

PT-2026-26591

The RockPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.17. This is due to missing capability checks on multiple AJAX actions rockpress import, rockpress import status, rockpress last import, rockpress reset import, and rockpress check...

CVE-2026-2888 Formidable Forms <= 6.28 - Unauthenticated Payment Amount Manipulation via 'item_meta' Parameter

The Formidable Forms plugin for WordPress is vulnerable to an authorization bypass through user-controlled key in all versions up to, and including, 6.28. This is due to the frmstrpamount AJAX handler updateintentajax overwriting the global $POST data with attacker-controlled JSON input and then...

PT-2026-25159

The Formidable Forms plugin for WordPress is vulnerable to an authorization bypass through user-controlled key in all versions up to, and including, 6.28. This is due to the frm strp amount AJAX handler update intent ajax overwriting the global $ POST data with attacker-controlled JSON input and...

CVE-2026-1306 midi-Synth <= 1.1.0 - Unauthenticated Arbitrary File Upload via 'export' AJAX Action

The midi-Synth plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type and file extension validation in the 'export' AJAX action in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affecte...

CVE-2026-1306

The MIDI-Synth WordPress plugin (

PT-2026-8073

Name of the Vulnerable Software and Affected Versions midi-Synth plugin for WordPress versions up to and including 1.1.0 Description The midi-Synth plugin for WordPress is susceptible to arbitrary file uploads because of a lack of file type and file extension validation within the 'export' AJAX...

CVE-2025-14757 Cost Calculator Builder <= 3.6.9 - Missing Authorization to Unauthenticated Payment Status Bypass

The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Payment Status Bypass in all versions up to, and including, 3.6.9 only when used in combination with Cost Calculator Builder PRO. This is due to the completepayment AJAX action being registered via wpajaxnopriv,...

CVE-2025-0951

Multiple plugins and/or themes for WordPress by LiquidThemes are vulnerable to unauthorized access due to a missing capability check on the liquidresetwordpressbefore AJAX in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to deactivat...