CVE-2026-53981 Cap-go < v12.128.2 Account Takeover via Unauthenticated Email Change Mechanism

Cap-go prior to 12.128.2 contains an account takeover vulnerability in its email change mechanism that allows an attacker with temporary authenticated session access to change the registered email address without re-authentication such as password or MFA verification. Attackers can redirect...

CVE-2026-8940

The CVE-2026-8940 entry concerns WordPress plugin WP Meta Sort Posts (versions

WordPress Hybrid Composer plugin <= 1.4.6 Unauthenticated Settings Change vulnerability

WordPress Hybrid Composer plugin = 1.4.6 Unauthenticated Settings Change vulnerability discovered by ? in WordPress Plugin Hybrid Composer versions = 1.4.6...

CVE-2019-25738

WordPress Hybrid Composer 1.4.6 contains an unauthenticated settings change vulnerability that allows unauthenticated attackers to modify WordPress options by exploiting the hcajaxsaveoption action. Attackers can send POST requests to the admin-ajax.php endpoint with the action parameter set to...

CVE-2026-40149

PraisonAI’s multi-agent system is vulnerable to an unauthenticated modification of the tool approval allowlist via the gateway’s /api/approval/allow-list endpoint (pre-4.5.128). By adding dangerous tool names (e.g., shell_exec, file_write) when no auth_token is configured, an attacker can cause t...

CVE-2026-0572

The CVE-2026-0572 entry concerns the WebPurify Profanity Filter plugin for WordPress. A missing capability check on the webpurify_save_options function affects all versions up to and including 4.0.2, allowing unauthenticated attackers to modify plugin settings and thus perform data modification. ...

CVE-2026-0572 WebPurify Profanity Filter <= 4.0.2 - Missing Authorization to Unauthenticated Plugin Settings Change via webpurify_save_options

The WebPurify Profanity Filter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'webpurifysaveoptions' function in all versions up to, and including, 4.0.2. This makes it possible for unauthenticated attackers to change plugin settin...

CVE-2025-59102

The web server of the Access Manager offers a functionality to download a backup of the local database stored on the device. This database contains the whole configuration. This includes encrypted MIFARE keys, card data, user PINs and much more. The PINs are even stored unencrypted. Combined with...

CVE-2026-22604 OpenProject is vulnerable to user enumeration via the change password function

OpenProject is an open-source, web-based project management software. For OpenProject versions from 11.2.1 to before 16.6.2, when sending a POST request to the /account/changepassword endpoint with an arbitrary User ID as the passwordchangeuserid parameter, the resulting error page would show the...

CVE-2023-1843

The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to unauthorized permalink structure update due to a missing capability check on the permalinksetup function in versions up to, and including, 3.3.0. This makes it possible for unauthenticated attackers to change the...

VulnCheck KEV: CVE-2020-20627

The includes/gateways/stripe/includes/admin/admin-actions.php in GiveWP plugin through 2.5.9 for WordPress allows unauthenticated settings change...

VulnCheck KEV: CVE-2019-17228

includes/options.php in the motors-car-dealership-classified-listings aka Motors - Car Dealer & Classified Ads plugin through 1.4.0 for WordPress allows unauthenticated options changes...

CVE-2022-41135

Unauth. Plugin Settings Change vulnerability in Modula plugin = 2.6.9 on WordPress...

CVE-2022-41132

Unauthenticated Plugin Settings Change Leading To Stored XSS Vulnerability in Ezoic plugin = 2.8.8 on WordPress...

CVE-2022-35238

Unauthenticated Plugin Settings Change vulnerability in Awesome Filterable Portfolio plugin = 1.9.7 at WordPress...

CVE-2022-35242 WordPress THE Leads Management System: 59sec LITE plugin <= 3.4.1 - Unauthenticated plugin settings change vulnerability

Unauthenticated plugin settings change vulnerability in 59sec THE Leads Management System: 59sec LITE plugin = 3.4.1 at WordPress...

VulnCheck KEV: CVE-2022-33198

Unauthenticated WordPress Options Change vulnerability in Biplob Adhikari's Accordions plugin = 2.0.2 at WordPress...

Simple Online College Entrance Exam System 1.0 - Account Takeover Vulnerability

Exploit Title: Simple Online College Entrance Exam System 1.0 - Account Takeover Exploit Author: Amine ismail @aminei Vendor Homepage: https://www.sourcecodester.com/php/14976/simple-online-college-entrance-exam-system-php-and-sqlite-free-source-code.html Software Link:...

CVE-2020-20627

The includes/gateways/stripe/includes/admin/admin-actions.php in GiveWP plugin through 2.5.9 for WordPress allows unauthenticated settings change...

CVE-2019-20565

An issue was discovered on Samsung mobile devices with O8.x and P9.0 software. Attackers can change the USB configuration without authentication. The Samsung ID is SVE-2018-13300 September 2019...