93 matches found
PT-2026-30797
Name of the Vulnerable Software and Affected Versions Link Whisper Free WordPress plugin versions prior to 0.9.1 Description The Link Whisper Free WordPress plugin has a publicly accessible REST endpoint that allows unauthenticated users to update settings. Recommendations Update to version 0.9.1...
CVE-2026-1786
CVE-2026-1786 : The Twitter posts to Blog plugin for WordPress is vulnerable due to a missing capability check on the internal dg_tw_options function, affecting all versions up to and including 1.11.25. This allows unauthenticated attackers to modify plugin settings (including Twitter API credent...
CVE-2026-0679 Fortis for WooCommerce <= 1.2.0 - Missing Authorization to Unauthenticated Arbitrary Order Status Update to Paid via 'wc-api' Endpoint
The Fortis for WooCommerce plugin for WordPress is vulnerable to authorization bypass due to an inverted nonce check in the 'checkfortisnotifyresponse' function in all versions up to, and including, 1.2.0. This makes it possible for unauthenticated attackers to update arbitrary WooCommerce order...
CVE-2025-14616
The Recooty – Job Widget Old Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing nonce validation on the recootysavemaybe function. This makes it possible for unauthenticated attackers to update the...
CVE-2025-14389 WPBlogSyn <= 1.0 - Cross-Site Request Forgery to Arbitrary Remote Sync Configuration Update
The WPBlogSyn plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the plugin's remote sync settings via a forged request granted...
CVE-2023-4025
The Radio Player plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the updateplayer function in versions up to, and including, 2.0.73. This makes it possible for unauthenticated attackers to update player instances...
CVE-2025-13365
The WP Hallo Welt plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the 'halloweltseite' function. This makes it possible for unauthenticated attackers to update plugin settings and...
CVE-2025-14734
The Amazon affiliate lite Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the 'ADALsettingspage' function. This makes it possible for unauthenticated attackers to update...
EUVD-2025-203902
The OTA firmware update mechanism in Netun Solutions HelpFlash IoT firmware v18178221102ASCIIPRO1R550 uses hard-coded WiFi credentials identical across all devices and does not authenticate update servers or validate firmware signatures. An attacker with brief physical access can activate OTA mod...
WordPress OneSignal – Web Push Notifications plugin <= 3.6.1 - Missing Authorization to Unauthenticated Plugin Settings Update vulnerability
Missing Authorization to Unauthenticated Plugin Settings Update vulnerability discovered by Marcin Dudek dudekmar - CERT.PL in WordPress Plugin OneSignal – Web Push Notifications versions = 3.6.1...
CVE-2025-14462
The Lucky Draw Contests plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2. This is due to missing or incorrect nonce validation in misc-settings.php. This makes it possible for unauthenticated attackers to update plugin settings via a forge...
CVE-2025-12841
The Bookit WordPress plugin before 2.5.1 has a publicly accessible REST endpoint that allows unauthenticated update of the plugins Stripe payment options...
EUVD-2025-203065
The Bookit WordPress plugin before 2.5.1 has a publicly accessible REST endpoint that allows unauthenticated update of the plugins Stripe payment options...
CVE-2025-14391
CVE-2025-14391 affects the WordPress plugin Simple Theme Changer . The vulnerability is a Cross-Site Request Forgery (CSRF) in versions up to 1.0 caused by missing or incorrect nonce validation, enabling unauthenticated attackers to update the plugin’s settings by tricking an administrator into p...
PT-2025-50919
Name of the Vulnerable Software and Affected Versions Bookit WordPress plugin versions prior to 2.5.1 Description The Bookit WordPress plugin contains a publicly accessible REST endpoint that allows unauthenticated modification of the plugin's Stripe payment settings. This allows attackers to alt...
Meatmeet Pro BBQ Thermometer 安全漏洞
Meatmeet Pro BBQ Thermometer is an advanced smart thermometer from Meatmeet. A security vulnerability exists in Meatmeet Pro BBQ Thermometer version v1.0.34.4, which originates from an unauthenticated OTA upgrade mechanism and could lead to remote code execution...
CVE-2025-12355 Payaza <= 0.3.8 - Missing Authorization to Unauthenticated Order Status Update
The Payaza plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wpajaxnoprivupdateorderstatus' AJAX endpoint in all versions up to, and including, 0.3.8. This makes it possible for unauthenticated attackers to update order statuses...
CVE-2025-12128
CVE-2025-12128 concerns the WordPress plugin “Hide Categories Or Products On Shop Page” and affects versions up to and including 1.0.7. The issue is Cross-Site Request Forgery caused by missing or incorrect nonce validation in the save_data_hcps() function. This enables unauthenticated attackers ...
CVE-2025-12391
CVE-2025-12391 affects the Restrictions for BuddyPress plugin for WordPress (
CVE-2025-12406
CVE-2025-12406 concerns the WordPress plugin Project Honey Pot Spam Trap (versions