CVE-2026-12240

The CVE-2026-12240 entry concerns the WordPress Export User Data plugin (up to version 2.2.6). Affected component: the unserialize path validation in the plugin allows an authenticated subscriber+ to trigger arbitrary file deletions on the server by exporting user data, with a crafted serialized ...

CVE-2026-57335

CVE-2026-57335 concerns the WordPress plugin WPQuads Ads (WPQuads)

CVE-2026-57332

The CVE affects the WordPress Wallet System for WooCommerce plugin, specifically versions

CVE-2026-57327

The connected documents identify CVE-2026-57327 as a vulnerability in the WordPress MainWP plugin up to version 6.1.1 describing a Subscriber/Broken Access Control issue. The underlying root cause is described as broken access control, but the documents do not provide concrete technical details s...

CVE-2026-57327 WordPress MainWP plugin <= 6.1.1 - Broken Access Control vulnerability

Subscriber Broken Access Control in MainWP = 6.1.1 versions...

CVE-2026-9676

The F4 Post Tree WordPress plugin before 2.0.5 does not perform capability checks or CSRF/nonce verification on one of its AJAX actions, allowing authenticated users with Subscriber-level access and above to modify the parent and menu order of arbitrary posts...

EUVD-2026-40040

The F4 Post Tree WordPress plugin before 2.0.5 does not perform capability checks or CSRF/nonce verification on one of its AJAX actions, allowing authenticated users with Subscriber-level access and above to modify the parent and menu order of arbitrary posts...

CVE-2026-9676

The F4 Post Tree WordPress plugin before 2.0.5 does not perform capability checks or CSRF/nonce verification on one of its AJAX actions, allowing authenticated users with Subscriber-level access and above to modify the parent and menu order of arbitrary posts...

CVE-2026-9676

The vulnerability CVE-2026-9676 affects the F4 Post Tree WordPress plugin prior to 2.0.5. The issue arises because the plugin does not perform capability checks or CSRF/nonce verification on one of its AJAX actions, allowing authenticated users with Subscriber-level access and above to modify the...

WordPress CBX Bookmark & Favorite Plugin <= 2.0.4 - SQL Injection

CBX Bookmark & Favorite WordPress plugin = 2.0.4 contains a SQL injection caused by insufficient escaping of the 'orderby' parameter, letting authenticated attackers with Subscriber-level access extract sensitive database information id: CVE-2025-13652 info: name: WordPress CBX Bookmark & Favorit...

CVE-2026-3462

The Frisbii Pay plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'uploadcsv' and 'processbatch' functions in all versions up to, and including, 1.8.9. This makes it possible for authenticated attackers, with Subscriber-level access an...

CVE-2026-11987

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.4 via the 'id' parameter due to missing validation on a user controlled key. This...

CVE-2026-12471

The Spexo theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the activateplugin function in all versions up to, and including, 2.0.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate a limited set o...

CVE-2026-11364

The Product Specifications for WooCommerce plugin for WordPress is vulnerable to unauthorized modification, creation, and deletion of data in versions up to and including 0.8.9. This is due to a missing capability check and missing nonce verification in the invoke methods of the...

CVE-2026-3462 Frisbii Pay <= 1.8.9 - Missing Authorization to Authenticated (Subscriber+) Payment Token Modification

The Frisbii Pay plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'uploadcsv' and 'processbatch' functions in all versions up to, and including, 1.8.9. This makes it possible for authenticated attackers, with Subscriber-level access an...

EUVD-2026-39958

The Frisbii Pay plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'uploadcsv' and 'processbatch' functions in all versions up to, and including, 1.8.9. This makes it possible for authenticated attackers, with Subscriber-level access an...

CVE-2026-3462

CVE-2026-3462 affects the Frisbii Pay plugin for WordPress (all versions up to 1.8.9). The vulnerability arises from missing capability checks on upload_csv and process_batch, enabling authenticated attackers with Subscriber-level access or higher to modify data by uploading arbitrary CSVs and ov...

CVE-2026-12471 Spexo <= 2.0.11 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Activation

The Spexo theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the activateplugin function in all versions up to, and including, 2.0.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate a limited set o...

CVE-2026-12471

The CVE concerns the Spexo WordPress theme. A missing capability check in the activate_plugin function affects all versions up to and including 2.0.11, allowing authenticated attackers with Subscriber-level access and above to activate a limited set of plugins. The information from connected docu...

CVE-2026-11364 Product Specifications for Woocommerce <= 0.8.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Attribute/Group Creation, Modification, and Deletion via 'dwps_modify_groups' and 'dwps_modify_attributes' AJAX Actions

The Product Specifications for WooCommerce plugin for WordPress is vulnerable to unauthorized modification, creation, and deletion of data in versions up to and including 0.8.9. This is due to a missing capability check and missing nonce verification in the invoke methods of the...