258 matches found
WP DSGVO Tools (GDPR) <= 3.1.23 - Unauthenticated Arbitrary Post Deletion
WP DSGVO Tools GDPR = 3.1.23 had an AJAX action, ‘admin-dismiss-unsubscribe‘, which lacked a capability check and a nonce check and was available to unauthenticated users, and did not check the post type when deleting unsubscription requests. As such, it was possible for an attacker to permanentl...
CVE-2026-58192
CVE-2026-58192 affects Appium’s storage-plugin: prior to 1.1.6, POST /storage/delete passes user-supplied name into path.join(storageRoot, name) and fs.rimraf() without sanitization, enabling an unauthenticated remote attacker to escape the storage root via ../ and delete arbitrary writable files...
CVE-2026-14487 Simple Coherent Form <= 2.4.13 - Unauthenticated Arbitrary File Deletion via 'id' Parameter
The Simple Coherent Form plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the removeUploadDir function in all versions up to, and including, 2.4.13. This makes it possible for unauthenticated attackers to delete arbitrary files on the serve...
CVE-2026-12277
The Frontend File Manager Plugin WordPress plugin through 23.6 does not validate a file path derived from user input before deleting the referenced file, allowing unauthenticated users to delete arbitrary files on the server such as wp-config.php when guest upload mode is enabled. Deleting...
EUVD-2026-42011
The Frontend File Manager Plugin WordPress plugin through 23.6 does not validate a file path derived from user input before deleting the referenced file, allowing unauthenticated users to delete arbitrary files on the server such as wp-config.php when guest upload mode is enabled. Deleting...
CVE-2025-69134
Unauthenticated Arbitrary Content Deletion in OpenAI Chatbot for WordPress – Helper = 1.1.4 versions...
CVE-2025-69134
Unauthenticated Arbitrary Content Deletion in OpenAI Chatbot for WordPress – Helper = 1.1.4 versions...
PT-2026-54964
Unauthenticated Arbitrary Content Deletion in OpenAI Chatbot for WordPress – Helper = 1.1.4 versions...
CVE-2026-12094
The Advanced Contact Form 7 - Compact DB plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the cf7cdbajaxdeleteuser function in versions up to, and including, 1.0.0. The handler is registered against both wpajaxcf7cdbdelete and...
EUVD-2026-38677
The Devs Accounting – Simple Accounting and Invoicing Solution plugin for WordPress is vulnerable to unauthorized modification/deletion of data due to a missing capability check on the deletesingleaccount function in versions up to, and including, 1.2.0. The REST route...
EUVD-2026-38663
The Advanced Contact Form 7 - Compact DB plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the cf7cdbajaxdeleteuser function in versions up to, and including, 1.0.0. The handler is registered against both wpajaxcf7cdbdelete and...
CVE-2026-12094
The Advanced Contact Form 7 - Compact DB plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the cf7cdbajaxdeleteuser function in versions up to, and including, 1.0.0. The handler is registered against both wpajaxcf7cdbdelete and...
CVE-2026-12094 Advanced Contact Form 7 <= 1.0.0 - Missing Authorization to Unauthenticated Arbitrary Contact Form Submission Deletion via 'form_id' Parameter
The Advanced Contact Form 7 - Compact DB plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the cf7cdbajaxdeleteuser function in versions up to, and including, 1.0.0. The handler is registered against both wpajaxcf7cdbdelete and...
CVE-2026-12094
The CVE describes a vulnerability in the Advanced Contact Form 7 - Compact DB plugin for WordPress (versions delete() on the wp_cf7cdb_data table, using an attacker-supplied integer ID. This allows unauthenticated attackers to delete arbitrary contact form submission entries by enumerating primar...
WordPress Devs Accounting – Simple Accounting and Invoicing Solution plugin <= 1.2.0 - Missing Authorization to Unauthenticated Account Deletion vulnerability
Missing Authorization to Unauthenticated Account Deletion vulnerability discovered by jamaal in WordPress Plugin Devs Accounting – Simple Accounting and Invoicing Solution versions = 1.2.0...
CVE-2026-9843
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the viewpage function in all versions up to, and including, 1.5.1. This makes it possible for unauthenticated attackers to delete...
CVE-2026-52716
Unauthenticated Arbitrary File Deletion in WorkScout-Core = 1.7.11 versions...
CVE-2026-48929
Rocket.Chat in versions 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, and 7.10.13 is vulnerable to unauthenticated file deletion. The deleteFileMessage Meteor method permanently deletes any uploaded file by ID without requiring authentication. When called via an unauthenticated DDP WebSocket...
EUVD-2026-37700
Unauthenticated Arbitrary File Deletion in WorkScout-Core = 1.7.11 versions...
CVE-2026-48929
Rocket.Chat versions older than 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, and 7.10.13 are vulnerable to unauthenticated file deletion through the deleteFileMessage Meteor method. When called over an unauthenticated DDP WebSocket connection, Meteor.userId() returns null, bypassing the auth...