80 matches found
CVE-2025-15347
The Creator LMS – The LMS for Creators, Coaches, and Trainers plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check in the getitemspermissionscheck function in all versions up to, and including, 1.1.12. This...
CVE-2022-0952
The Sitemap by click5 WordPress plugin before 1.0.36 does not have authorisation and CSRF checks when updating options via a REST endpoint, and does not ensure that the option to be updated belongs to the plugin. As a result, unauthenticated attackers could change arbitrary blog options, such as...
CVE-2025-14370
The Quote Comments plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.0.0. This is due to missing authorization checks in the quotecommentsaddadmin function. This makes it possible for authenticated attackers, with Subscriber-level access and above...
CVE-2025-11877
The CVE-2025-11877 issue affects WordPress User Activity Log versions up to 2.2. The vulnerability is in the failed-login handler (ual_shook_wp_login_failed), which lacks a capability check and writes failed usernames into update_option() calls. This allows unauthenticated attackers to push certa...
CVE-2025-11985
The Realty Portal plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'rpsavepropertysettings' function in versions 0.1 to 0.4.1. This makes it possible for authenticated attackers, with...
CVE-2025-11985 Realty Portal <= 0.4.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
The Realty Portal plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'rpsavepropertysettings' function in versions 0.1 to 0.4.1. This makes it possible for authenticated attackers, with...
EUVD-2025-12134
Malicious code in bioql PyPI...
CVE-2025-9018 Time Tracker <= 3.1.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update and Limited Data Deletion
The Time Tracker plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'ttupdatetablefunction' and 'ttdeleterecordfunction' functions in all versions up to, and including, 3.1.0. This makes it possible for authenticated attackers...
CVE-2025-8425
The My WP Translate plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ajaximportstrings function in all versions up to, and including, 1.1. This makes it possible for authenticated attackers, with...
CVE-2025-8425 My WP Translate <= 1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
The My WP Translate plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ajaximportstrings function in all versions up to, and including, 1.1. This makes it possible for authenticated attackers, with...
CVE-2025-8425
CVE-2025-8425 affects the WordPress plugin My WP Translate (versions
CVE-2023-0584
The VK Blocks plugin for WordPress is vulnerable to improper authorization via the REST 'updateoptions' function in versions up to, and including, 1.57.0.5. This allows authenticated attackers, with contributor-level permissions or above, to change the 'vkfontawesomeversion' option to an arbitrar...
CVE-2023-1016
The Intuitive Custom Post Order plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 3.1.4.1, due to insufficient escaping on the user supplied 'objects' and 'tags' parameters and lack of sufficient preparation in the 'updateoptions' function as well as the...
CVE-2022-3451
The Product Stock Manager WordPress plugin before 1.0.5 does not have authorisation and proper CSRF checks in multiple AJAX actions, allowing users with a role as low as subscriber to call them. One action in particular could allow to update arbitrary options...
WordPress plugin Xelion Webchat 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plug-in. A security vulnerability...
PT-2025-14457 · WordPress · Insert Headers/Footers Code – Ht Script
Name of the Vulnerable Software and Affected Versions: The Insert Headers and Footers Code – HT Script plugin for WordPress versions up to, and including, 1.1.2 Description: The issue is related to a missing capability check on the ajax dismiss function, allowing authenticated attackers with...
CVE-2025-2103
The SoundRise Music plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on theironMusicajax function in all versions up to, and including, 1.6.11. This makes it possible for authenticated attackers, with...
WordPress Eco Nature - Environment & Ecology WordPress theme <= 2.0.4 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update vulnerability
WordPress Eco Nature - Environment & Ecology WordPress theme = 2.0.4 - Missing Authorization to Authenticated Subscriber+ Limited Options Update vulnerability discovered by Lucio Sá in WordPress Theme Eco Nature versions = 2.0.4...
WordPress Zegen theme <= 1.1.9 - Missing Authorization to Authenticated (Subscriber+) Theme Options Updates vulnerability
Missing Authorization to Authenticated Subscriber+ Theme Options Updates vulnerability discovered by Lucio Sá in WordPress Theme Zegen versions = 1.1.9...
CVE-2024-9193
The WHMpress - WHMCS WordPress Integration Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 6.3-revision-0 via the whmpressdomainsearchajaxextendedresults function. This makes it possible for unauthenticated attackers to include and execute...