CVE-2026-2694

Affected software: The Events Calendar WordPress plugin. Vulnerability: Improper authorization due to inadequate capability checks on can_edit and can_delete, affecting all versions up to and including 6.15.16. Impact: Authenticated users with Contributor-level access and above can update or tras...

CVE-2025-62979

Insertion of Sensitive Information Into Sent Data vulnerability in airesvsg ACF to REST API acf-to-rest-api allows Retrieve Embedded Sensitive Data.This issue affects ACF to REST API: from n/a through = 3.3.4...

CVE-2025-5998

The CVE-2025-5998 entry concerns the PPWP – Password Protect Pages WordPress plugin, prior to version 1.9.11. Technical details in the provided documents show that users with subscriber or higher roles can view content via the REST API, effectively bypassing password protection. The vulnerability...

CVE-2025-5920

The Sharable Password Protected Posts before version 1.1.1 allows access to password protected posts by providing a secret key in a GET parameter. However, the key is exposed by the REST API...

CVE-2024-0910

The Restrict for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.7 due to improper restrictions on hidden data that make it accessible through the REST API. This makes it possible for unauthenticated attackers to extract...

PT-2024-18081 · WordPress · Easy Maintenance Mode

Name of the Vulnerable Software and Affected Versions: Easy Maintenance Mode plugin for WordPress versions up to, and including, 1.4.2 Description: The issue allows authenticated attackers to obtain post and page content via the REST API, bypassing the protection provided by the plugin...

CVE-2020-35934

The Advanced Access Manager plugin before 6.6.2 for WordPress displays the unfiltered user object including all metadata upon login via the REST API aam/v1/authenticate or aam/v2/authenticate. This is a security problem if this object stores information that the user is not supposed to have e.g.,...