Lucene search
K

588 matches found

NVD
NVD
added 2026/07/01 5:16 a.m.8 views

CVE-2026-13468

The Visualizer – Tables & Charts Manager with Built-in AI Generator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.0.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

7.5CVSS0.00367EPSS
Exploits0References8
CVE
CVE
added 2026/07/01 3:43 a.m.15 views

CVE-2026-13468

The CVE-2026-13468 affects the WordPress plugin Visualizer – Tables & Charts Manager with Built-in AI Generator, vulnerable in all versions up to 4.0.3. The root cause is missing authorization checks for actions on the plugin’s REST endpoint /wp-json/visualizer/v1/action/{chart}/{type}/, allowing...

7.5CVSS5.6AI score0.00367EPSS
Exploits0References8
ATTACKERKB
ATTACKERKB
added 2026/07/01 3:43 a.m.7 views

CVE-2026-13468

The Visualizer – Tables & Charts Manager with Built-in AI Generator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.0.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

7.5CVSS5.6AI score0.00367EPSS
Exploits0References9
CVE
CVE
added 2026/06/30 6:32 p.m.18 views

CVE-2026-10513

CVE-2026-10513 affects the WordPress Webmention plugin (versions up to and including 5.8.0). The root cause is insufficient input sanitization and output escaping for MF2 author properties (avatar/url) processed by the unauthenticated webmention REST endpoint and rendered into HTML value attribut...

7.2CVSS5.9AI score0.00236EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/30 6:32 p.m.38 views

CVE-2026-10513 Webmention <= 5.8.0 - Unauthenticated Stored Cross-Site Scripting via MF2 'photo'/'url' Author Properties

The Webmention plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.8.0 via parser-derived 'avatar' and 'url' author metadata. This is due to insufficient input sanitization and output escaping on user-supplied MF2 author properties processed by the...

7.2CVSS0.00236EPSS
Exploits0References4
NVD
NVD
added 2026/06/26 7:16 a.m.8 views

CVE-2026-10823

The YMC Filter WordPress plugin before 3.11.3 does not properly authorize access to one of its REST API endpoints and does not validate a user-supplied query parameter, allowing unauthenticated attackers to retrieve the titles and content of private, draft, and other non-public posts...

7.5CVSS0.00921EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/26 12:0 a.m.15 views

PT-2026-52699

Name of the Vulnerable Software and Affected Versions Peplink InControl 2 versions 2 through 2.14.2 Description An access control bypass exists in certain /rest/o/orgId endpoints. This issue allows the use of a semicolon to circumvent established access-control rules. Recommendations Update Pepli...

7.7CVSS5.9AI score0.0022EPSS
Exploits1References6
Cvelist
Cvelist
added 2026/06/24 5:33 a.m.37 views

CVE-2026-9178 WP Forms Connector <= 1.8 - Missing Authorization to Unauthenticated Information Exposure via 'user/list' REST Endpoint

The WP Forms Connector plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.8. The plugin registers the REST route wp/v3/user/list/ callback userDetail with permissioncallback set to 'returntrue', and the function's home-grown authentication only...

7.5CVSS0.00347EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/06/24 5:33 a.m.37 views

CVE-2026-9172 Devs Accounting <= 1.2.0 - Missing Authorization to Unauthenticated Account Deletion via /delete-account/ REST Endpoint

The Devs Accounting – Simple Accounting and Invoicing Solution plugin for WordPress is vulnerable to unauthorized modification/deletion of data due to a missing capability check on the deletesingleaccount function in versions up to, and including, 1.2.0. The REST route...

5.3CVSS0.00227EPSS
Exploits0References3
OSV
OSV
added 2026/06/22 9:4 p.m.4 views

CVE-2026-56348 n8n - Credential Exfiltration via Allowed HTTP Request Domains Bypass in Dynamic Node Parameters Endpoint

n8n before 2.20.0 contains a credential exfiltration vulnerability in the POST /rest/dynamic-node-parameters/options endpoint that allows authenticated users to bypass Allowed HTTP Request Domains restrictions. Attackers with credential access can cause the n8n server to issue HTTP requests with...

5.3CVSS6AI score0.00262EPSS
Exploits0References4
The Hacker News
The Hacker News
added 2026/06/20 9:56 a.m.17 views

Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys

Threat actors are exploiting a recently patched security flaw impacting Gravity SMTP, a WordPress plugin that's installed on about 100,000 sites. The vulnerability, tracked as CVE-2026-4020 CVSS score: 5.3, is a medium-severity information disclosure flaw that can allow unauthenticated attackers ...

7.5CVSS5.9AI score0.39704EPSS
Exploits2
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.21 views

PT-2026-50244

Name of the Vulnerable Software and Affected Versions LearnPress versions prior to 4.3.7 Description An information disclosure issue exists where the edit context on a REST endpoint is not properly restricted by the edit users capability. This allows unauthenticated visitors to retrieve sensitive...

5.3CVSS5.8AI score0.00424EPSS
Exploits0References3
NVD
NVD
added 2026/06/15 8:16 a.m.18 views

CVE-2026-8386

The WP Go Maps WordPress plugin before 10.0.10 does not perform any approval-state filtering on its public single-marker REST endpoint, allowing unauthenticated users to retrieve marker records that an administrator has not yet approved for public display, including any PII placed in the address...

5.3CVSS0.00225EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/15 6:0 a.m.15 views

EUVD-2026-36698

The WP Go Maps WordPress plugin before 10.0.10 does not perform any approval-state filtering on its public single-marker REST endpoint, allowing unauthenticated users to retrieve marker records that an administrator has not yet approved for public display, including any PII placed in the address...

5.3CVSS5.3AI score0.00225EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/15 6:0 a.m.7 views

CVE-2026-8386 WP Go Maps < 10.0.10 - Unauthenticated Sensitive Information Disclosure via Marker ID

The WP Go Maps WordPress plugin before 10.0.10 does not perform any approval-state filtering on its public single-marker REST endpoint, allowing unauthenticated users to retrieve marker records that an administrator has not yet approved for public display, including any PII placed in the address...

5.3AI score0.00225EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/13 8:29 a.m.18 views

EUVD-2026-36649

The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/saveshortcode in all versions up to, and including, 5.4.4 This makes it possible for authenticated attackers, with...

4.3CVSS5.3AI score0.00214EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2026/06/13 8:29 a.m.8 views

CVE-2026-1291 Meow Gallery <= 5.4.4 - Missing Authorization to Authenticated (Author+) Shortcode creation

The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/saveshortcode in all versions up to, and including, 5.4.4 This makes it possible for authenticated attackers, with...

4.3CVSS5.3AI score0.00214EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/13 12:0 a.m.27 views

PT-2026-49090

Name of the Vulnerable Software and Affected Versions Meow Gallery versions prior to 5.4.5 Description The Meow Gallery plugin for WordPress allows unauthorized modification of data because of a missing capability check on the REST API endpoint "/wp-json/meow-gallery/v1/save shortcode"...

4.3CVSS5.3AI score0.00214EPSS
Exploits0References11
RedhatCVE
RedhatCVE
added 2026/06/05 7:42 p.m.9 views

CVE-2025-14481

The Yoast SEO plugin for WordPress is vulnerable to Insecure Direct Object References in all versions up to, and including, 26.5. This is due to insufficient authorization checks in the Meta Search REST API endpoint that fail to verify post ownership. This makes it possible for authenticated...

4.3CVSS5.4AI score0.00288EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:38 p.m.10 views

CVE-2026-34837

Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1, he REST endpoint POST /api/v1/aiassistance/texttools/:id contains an authorization failure. Context data e.g., a group or organization supplied to be used in the AI prompt were not checked if they are accessible f...

5.3CVSS5.5AI score0.0018EPSS
Exploits0References1
Rows per page
Query Builder