Lucene search
K

93 matches found

Positive Technologies
Positive Technologies
added 2026/04/07 12:0 a.m.8 views

PT-2026-30797

Name of the Vulnerable Software and Affected Versions Link Whisper Free WordPress plugin versions prior to 0.9.1 Description The Link Whisper Free WordPress plugin has a publicly accessible REST endpoint that allows unauthenticated users to update settings. Recommendations Update to version 0.9.1...

6.5CVSS5.7AI score0.00186EPSS
Exploits1References5
CVE
CVE
added 2026/02/11 8:26 a.m.15 views

CVE-2026-1786

CVE-2026-1786 : The Twitter posts to Blog plugin for WordPress is vulnerable due to a missing capability check on the internal dg_tw_options function, affecting all versions up to and including 1.11.25. This allows unauthenticated attackers to modify plugin settings (including Twitter API credent...

6.5CVSS5.5AI score0.00284EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/02/04 8:25 a.m.3 views

CVE-2026-0679 Fortis for WooCommerce <= 1.2.0 - Missing Authorization to Unauthenticated Arbitrary Order Status Update to Paid via 'wc-api' Endpoint

The Fortis for WooCommerce plugin for WordPress is vulnerable to authorization bypass due to an inverted nonce check in the 'checkfortisnotifyresponse' function in all versions up to, and including, 1.2.0. This makes it possible for unauthenticated attackers to update arbitrary WooCommerce order...

5.3CVSS5.5AI score0.00345EPSS
Exploits0References4
NVD
NVD
added 2026/01/28 12:15 p.m.23 views

CVE-2025-14616

The Recooty – Job Widget Old Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing nonce validation on the recootysavemaybe function. This makes it possible for unauthenticated attackers to update the...

4.3CVSS0.00128EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/01/14 5:28 a.m.29 views

CVE-2025-14389 WPBlogSyn <= 1.0 - Cross-Site Request Forgery to Arbitrary Remote Sync Configuration Update

The WPBlogSyn plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the plugin's remote sync settings via a forged request granted...

4.3CVSS0.00102EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/01/09 9:25 a.m.5 views

CVE-2023-4025

The Radio Player plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the updateplayer function in versions up to, and including, 2.0.73. This makes it possible for unauthenticated attackers to update player instances...

5.3CVSS5.4AI score0.0041EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/12/21 4:12 a.m.13 views

CVE-2025-13365

The WP Hallo Welt plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the 'halloweltseite' function. This makes it possible for unauthenticated attackers to update plugin settings and...

6.1CVSS4.9AI score0.00123EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/12/21 4:12 a.m.11 views

CVE-2025-14734

The Amazon affiliate lite Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the 'ADALsettingspage' function. This makes it possible for unauthenticated attackers to update...

5.4CVSS5.2AI score0.00101EPSS
Exploits0References1
EUVD
EUVD
added 2025/12/17 6:31 p.m.8 views

EUVD-2025-203902

The OTA firmware update mechanism in Netun Solutions HelpFlash IoT firmware v18178221102ASCIIPRO1R550 uses hard-coded WiFi credentials identical across all devices and does not authenticate update servers or validate firmware signatures. An attacker with brief physical access can activate OTA mod...

6.6CVSS7.2AI score0.00085EPSS
Exploits0References3
Patchstack
Patchstack
added 2025/12/15 11:2 p.m.9 views

WordPress OneSignal – Web Push Notifications plugin <= 3.6.1 - Missing Authorization to Unauthenticated Plugin Settings Update vulnerability

Missing Authorization to Unauthenticated Plugin Settings Update vulnerability discovered by Marcin Dudek dudekmar - CERT.PL in WordPress Plugin OneSignal – Web Push Notifications versions = 3.6.1...

5.3CVSS6.7AI score0.003EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2025/12/13 4:16 p.m.5 views

CVE-2025-14462

The Lucky Draw Contests plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2. This is due to missing or incorrect nonce validation in misc-settings.php. This makes it possible for unauthenticated attackers to update plugin settings via a forge...

4.3CVSS0.00116EPSS
Exploits0References2
NVD
NVD
added 2025/12/12 11:15 a.m.4 views

CVE-2025-12841

The Bookit WordPress plugin before 2.5.1 has a publicly accessible REST endpoint that allows unauthenticated update of the plugins Stripe payment options...

5.3CVSS0.00654EPSS
Exploits0References1
EUVD
EUVD
added 2025/12/12 10:17 a.m.6 views

EUVD-2025-203065

The Bookit WordPress plugin before 2.5.1 has a publicly accessible REST endpoint that allows unauthenticated update of the plugins Stripe payment options...

5.3CVSS6.5AI score0.00654EPSS
Exploits0References2
CVE
CVE
added 2025/12/12 3:21 a.m.13 views

CVE-2025-14391

CVE-2025-14391 affects the WordPress plugin Simple Theme Changer . The vulnerability is a Cross-Site Request Forgery (CSRF) in versions up to 1.0 caused by missing or incorrect nonce validation, enabling unauthenticated attackers to update the plugin’s settings by tricking an administrator into p...

4.3CVSS5AI score0.00106EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2025/12/12 12:0 a.m.9 views

PT-2025-50919

Name of the Vulnerable Software and Affected Versions Bookit WordPress plugin versions prior to 2.5.1 Description The Bookit WordPress plugin contains a publicly accessible REST endpoint that allows unauthenticated modification of the plugin's Stripe payment settings. This allows attackers to alt...

5.3CVSS5.4AI score0.00654EPSS
Exploits0References5
CNNVD
CNNVD
added 2025/12/10 12:0 a.m.2 views

Meatmeet Pro BBQ Thermometer 安全漏洞

Meatmeet Pro BBQ Thermometer is an advanced smart thermometer from Meatmeet. A security vulnerability exists in Meatmeet Pro BBQ Thermometer version v1.0.34.4, which originates from an unauthenticated OTA upgrade mechanism and could lead to remote code execution...

8.8CVSS8AI score0.00518EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2025/12/05 6:7 a.m.3 views

CVE-2025-12355 Payaza <= 0.3.8 - Missing Authorization to Unauthenticated Order Status Update

The Payaza plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wpajaxnoprivupdateorderstatus' AJAX endpoint in all versions up to, and including, 0.3.8. This makes it possible for unauthenticated attackers to update order statuses...

5.3CVSS5AI score0.00196EPSS
Exploits0References2
CVE
CVE
added 2025/12/05 5:31 a.m.14 views

CVE-2025-12128

CVE-2025-12128 concerns the WordPress plugin “Hide Categories Or Products On Shop Page” and affects versions up to and including 1.0.7. The issue is Cross-Site Request Forgery caused by missing or incorrect nonce validation in the save_data_hcps() function. This enables unauthenticated attackers ...

4.3CVSS4.8AI score0.00106EPSS
Exploits0References2
CVE
CVE
added 2025/11/18 9:27 a.m.16 views

CVE-2025-12391

CVE-2025-12391 affects the Restrictions for BuddyPress plugin for WordPress (

5.3CVSS5AI score0.00241EPSS
Exploits0References3
CVE
CVE
added 2025/11/18 8:27 a.m.18 views

CVE-2025-12406

CVE-2025-12406 concerns the WordPress plugin Project Honey Pot Spam Trap (versions

6.1CVSS5AI score0.00127EPSS
Exploits0References4
Rows per page
Query Builder