WordPress Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin <= 1.6.11.8 - Missing Authorization to Unauthenticated Arbitrary Modification vulnerability

Missing Authorization to Unauthenticated Arbitrary Modification vulnerability discovered by winrace in WordPress Plugin Simply Schedule Appointments versions = 1.6.11.8...

CVE-2018-25336 jCart for OpenCart 2.3.0.2 Cross-Site Request Forgery

jCart for OpenCart 2.3.0.2 contains a cross-site request forgery vulnerability that allows attackers to modify user account information without authentication. Attackers can craft malicious HTML forms targeting endpoints , and to change user credentials, passwords, and affiliate account details...

CVE-2026-4024

The Royal Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wprupdateformactionmeta AJAX action in all versions up to, and including, 1.7.1056. The handler is registered on both wpajax and wpajaxnopriv hooks, maki...

EUVD-2026-24707

The Fast & Fancy Filter – 3F plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.2.2. This is due to missing nonce verification in the saveFields function, which handles the fffsavesettins AJAX action. This makes it possible for unauthenticated...

CVE-2026-6396

CVE-2026-6396 concerns the WordPress plugin “Fast & Fancy Filter – 3F” (versions up to and including 1.2.2). The issue arises from missing nonce verification in the saveFields() function, which handles the fff_save_settins AJAX action. This design flaw allows unauthenticated attackers to forge re...

WordPress Fluent Forms - Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin <= 6.1.21 - Insecure Direct Object Reference in Stripe SCA Confirmation to Unauthenticated Payment Status Modification vulnerability

WordPress Fluent Forms - Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin = 6.1.21 - Insecure Direct Object Reference in Stripe SCA Confirmation to Unauthenticated Payment Status Modification vulnerability discovered by Prickly Cactus in WordPress Plugin FluentForm...

CVE-2026-40149

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the gateway's /api/approval/allow-list endpoint permits unauthenticated modification of the tool approval allowlist when no authtoken is configured the default. By adding dangerous tool names e.g., shellexec, filewrite to the allowlist, a...

WordPress plugin Quran Translations 跨站请求伪造漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. Versions...

CVE-2026-3571

The Pie Register – User Registration, Profiles & Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the piemain function in all versions up to, and including, 3.8.4.8. This makes it possible for unauthenticated attacker...

WordPress Razorpay for WooCommerce plugin <= 4.7.8 - Missing Authentication to Unauthenticated Order Modification vulnerability

Missing Authentication to Unauthenticated Order Modification vulnerability discovered by Marcin Dudek dudekmar - CERT.PL in WordPress Plugin Razorpay for WooCommerce versions = 4.7.8...

CVE-2026-1944

The CallbackKiller service widget plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cbksave function in all versions up to, and including, 1.2. This makes it possible for unauthenticated attackers to modify the plugin's site ID settin...

CVE-2025-14029

The Community Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxadmineventapproval function in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to approve arbitrary events via t...

CVE-2023-49230

An issue was discovered in Peplink Balance Two before 8.4.0. A missing authorization check in captive portals allows attackers to modify the portals' configurations without prior authentication...

EUVD-2025-198405

The Cryptocurrency Token, Launchpad Presale, ICO & IDO, Airdrop by TokenICO plugin for WordPress is vulnerable to unauthenticated and unauthorized modification of data due to missing authentication and capability checks on the 'createSaleRecord' function in all versions up to, and including, 2.4....

CVE-2025-11975 FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) <= 1.1.23.0 - Missing Authorization to Authenticated (Subscriber+) Sync Rule Creation

The FuseWP – WordPress User Sync to Email List & Marketing Automation Mailchimp, Constant Contact, ActiveCampaign etc. plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the savechanges function in all versions up to, and including,...

CVE-2025-9630

The WP SinoType plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the sinotypeconfig function. This makes it possible for unauthenticated attackers to modify typography settings via a...

CVE-2024-4543

The Snippet Shortcodes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.1.4. This is due to missing or incorrect nonce validation when adding or editing shortcodes. This makes it possible for unauthenticated attackers to modify shortcodes vi...

CVE-2023-26571

Missing authentication in the SetStudentNotes method in IDAttend’s IDWeb application 3.1.052 and earlier allows modification of student data by unauthenticated attackers...

CVE-2024-12620

The AnimateGL Animations for WordPress – Elementor & Gutenberg Blocks Animations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'agljson' AJAX action in all versions up to, and including, 1.4.23. This makes it possible for...

CVE-2024-9586

The Linkz.ai plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'checkauth' and 'checklogout' functions in versions up to, and including, 1.1.8. This makes it possible for unauthenticated attackers to update plugin settings...