Lucene search
+L

506 matches found

OSV
OSV
added 2026/04/29 8:27 a.m.5 views

CVE-2026-4019 Complianz – GDPR/CCPA Cookie Consent <= 7.4.5 - Missing Authorization to Unauthenticated Private Post Content Disclosure via Consent Area REST Endpoint

The Complianz – GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to unauthorized data access in all versions up to, and including, 7.4.5 This is due to the REST API endpoint at /wp-json/complianz/v1/consent-area/postid/blockid using returntrue as the permissioncallback, allowing any...

5.3CVSS5.9AI score0.00276EPSS
Exploits0References8
CVE
CVE
added 2026/04/29 8:27 a.m.24 views

CVE-2026-4019

The CVE-2026-4019 vulnerability affects the WordPress plugin Complianz – GDPR/CCPA Cookie Consent (versions up to and including 7.4.5). The REST endpoint /wp-json/complianz/v1/consent-area/{post_id}/{block_id} uses a permissive permission_callback (__return_true), enabling unauthenticated request...

5.3CVSS5.3AI score0.00276EPSS
Exploits0References6
Patchstack
Patchstack
added 2026/04/28 7:52 p.m.9 views

WordPress Complianz – GDPR/CCPA Cookie Consent plugin <= 7.4.5 - Missing Authorization to Unauthenticated Private Post Content Disclosure vulnerability

Missing Authorization to Unauthenticated Private Post Content Disclosure vulnerability discovered by Wesley van de Kamp - Conda Security in WordPress Plugin Complianz versions = 7.4.5...

5.3CVSS5.2AI score0.00276EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 2026/04/22 9:31 p.m.6 views

EUVD-2026-22828

The Advanced Custom Fields ACF plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Post/Page Disclosure in versions up to and including 6.7.0. This is due to AJAX field query endpoints accepting user-supplied filter parameters that override field-configured restrictions witho...

5.3CVSS5.7AI score0.00625EPSS
Exploits0References18
NVD
NVD
added 2026/04/17 4:16 a.m.8 views

CVE-2026-4666

The wpForo Forum plugin for WordPress is vulnerable to unauthorized modification of data due to the use of extract$args, EXTROVERWRITE on user-controlled input in the edit method of classes/Posts.php in all versions up to, and including, 2.4.16. The postedit action handler in Actions.php passes...

6.5CVSS0.00331EPSS
Exploits0References8
NVD
NVD
added 2026/04/16 8:16 a.m.7 views

CVE-2026-0718

The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ultpshareCountcallback function in all versions up to, and including, 5.0.5. This makes it possible for...

5.3CVSS0.00283EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/04/16 12:0 a.m.6 views

PT-2026-33282

The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ultp shareCount callback function in all versions up to, and including, 5.0.5. This makes it possible for...

5.3CVSS5.8AI score0.00283EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/04/15 8:28 a.m.7 views

CVE-2026-3649

The Katalogportal PDF Sync plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.0. The katalogportalpopupshortcode function is registered as an AJAX handler via wpajaxkatalogportalshortcodePrinter but lacks any capability check currentusercan or nonc...

5.3CVSS5.7AI score0.00316EPSS
Exploits0References6
NVD
NVD
added 2026/04/15 4:17 a.m.18 views

CVE-2026-4812

The Advanced Custom Fields ACF plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Post/Page Disclosure in versions up to and including 6.7.0. This is due to AJAX field query endpoints accepting user-supplied filter parameters that override field-configured restrictions witho...

5.3CVSS0.00625EPSS
Exploits0References17
ATTACKERKB
ATTACKERKB
added 2026/04/15 1:25 a.m.3 views

CVE-2026-4812

The Advanced Custom Fields ACF plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Post/Page Disclosure in versions up to and including 6.7.0. This is due to AJAX field query endpoints accepting user-supplied filter parameters that override field-configured restrictions witho...

5.3CVSS5.7AI score0.00625EPSS
Exploits0References18
Positive Technologies
Positive Technologies
added 2026/04/15 12:0 a.m.11 views

PT-2026-33003

Name of the Vulnerable Software and Affected Versions Advanced Custom Fields ACF plugin for WordPress versions prior to 6.7.1 Description The plugin contains a flaw where AJAX field query endpoints accept user-supplied filter parameters that override field-configured restrictions without proper...

5.3CVSS5.1AI score0.00625EPSS
Exploits0References20
RedhatCVE
RedhatCVE
added 2026/04/02 10:53 a.m.7 views

CVE-2026-2696

The Export All URLs WordPress plugin before 5.1 generates CSV filenames containing posts URLS including private posts in a predictable pattern using a random 6-digit number. These files are stored in the publicly accessible wp-content/uploads/ directory. As a result, any unauthenticated user can...

5.3CVSS5.9AI score0.00301EPSS
Exploits0References1
EUVD
EUVD
added 2026/04/01 6:31 a.m.8 views

EUVD-2026-17816

The Export All URLs WordPress plugin before 5.1 generates CSV filenames containing posts URLS including private posts in a predictable pattern using a random 6-digit number. These files are stored in the publicly accessible wp-content/uploads/ directory. As a result, any unauthenticated user can...

5.3CVSS5.9AI score0.00301EPSS
Exploits0References2
NVD
NVD
added 2026/04/01 6:16 a.m.7 views

CVE-2026-2696

The Export All URLs WordPress plugin before 5.1 generates CSV filenames containing posts URLS including private posts in a predictable pattern using a random 6-digit number. These files are stored in the publicly accessible wp-content/uploads/ directory. As a result, any unauthenticated user can...

5.3CVSS0.00301EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/01 6:0 a.m.5 views

CVE-2026-2696

The Export All URLs WordPress plugin before 5.1 generates CSV filenames containing posts URLS including private posts in a predictable pattern using a random 6-digit number. These files are stored in the publicly accessible wp-content/uploads/ directory. As a result, any unauthenticated user can...

5.3CVSS5.9AI score0.00301EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/01 6:0 a.m.13 views

CVE-2026-2696 Export All URLs < 5.1 - Unauthenticated Sensitive Data Exposure

The Export All URLs WordPress plugin before 5.1 generates CSV filenames containing posts URLS including private posts in a predictable pattern using a random 6-digit number. These files are stored in the publicly accessible wp-content/uploads/ directory. As a result, any unauthenticated user can...

5.9AI score0.00301EPSS
Exploits0References1
CVE
CVE
added 2026/04/01 6:0 a.m.21 views

CVE-2026-2696

The CVE-2026-2696 entry concerns the WordPress plugin Export All URLs (versions before 5.1). Affected component: the plugin’s CSV filename generation uses a predictable pattern based on a random 6‑digit number, and exported CSVs are stored in publicly accessible wp-content/uploads. This enables a...

5.3CVSS5.9AI score0.00301EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/04/01 12:0 a.m.13 views

PT-2026-29473

The Export All URLs WordPress plugin before 5.1 generates CSV filenames containing posts URLS including private posts in a predictable pattern using a random 6-digit number. These files are stored in the publicly accessible wp-content/uploads/ directory. As a result, any unauthenticated user can...

5.9AI score0.00301EPSS
Exploits0References2
OSV
OSV
added 2026/03/27 7:10 a.m.5 views

BIT-DISCOURSE-2026-33355 Discourse filters whisper posts from private-posts feed

Discourse is an open-source discussion platform. Prior to versions 2026.3.0, 2026.2.1, and 2026.1.2, the /private-posts endpoint did not apply post-type visibility filtering, allowing regular PM participants to see whisper posts in PM topics they had access to. Versions 2026.3.0, 2026.2.1, and...

6.5CVSS5.9AI score0.00414EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/03/26 3:9 p.m.5 views

CVE-2026-33355

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the /private-posts endpoint did not apply post-type visibility filtering, allowing regular PM participants to see whisper posts in PM topics they had access to. Versions 2026.3.0-latest.1...

6.5CVSS5.8AI score0.00414EPSS
Exploits0References1
Rows per page
Query Builder