Lucene search
K

436 matches found

Cvelist
Cvelist
added 2026/04/15 11:25 p.m.38 views

CVE-2026-4880 Barcode Scanner (+Mobile App) <= 1.11.0 - Unauthenticated Privilege Escalation via Insecure Token Authentication

The Barcode Scanner +Mobile App – Inventory manager, Order fulfillment system, POS Point of Sale plugin for WordPress is vulnerable to privilege escalation via insecure token-based authentication in all versions up to, and including, 1.11.0. This is due to the plugin trusting a user-supplied...

9.8CVSS0.00503EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/04/15 12:0 a.m.7 views

PT-2026-33024

The Petje.af plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 2.1.8. This is due to missing nonce validation in the ajax revoke token function which handles the 'petjeaf disconnect' AJAX action. The function performs destructive operations...

4.3CVSS5.8AI score0.00163EPSS
Exploits0References9
Patchstack
Patchstack
added 2026/04/09 11:29 p.m.4 views

WordPress MStore API plugin <= 4.18.3 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Meta Update vulnerability

Authenticated Subscriber+ Insecure Direct Object Reference to Arbitrary User Meta Update vulnerability discovered by Osvaldo Noe Gonzalez Del Rio Os - krei.dev | ogbuilders.io in WordPress Plugin MStore API versions = 4.18.3...

4.3CVSS5.9AI score0.00226EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 2026/04/09 6:30 a.m.3 views

EUVD-2026-20840

The MStore API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.18.3. This is due to the updateuserprofile function in controllers/flutter-user.php processing the 'metadata' JSON parameter without any allowlist, blocklist, or validatio...

4.3CVSS6AI score0.00226EPSS
Exploits0References9
NVD
NVD
added 2026/04/09 4:16 a.m.7 views

CVE-2026-3568

The MStore API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.18.3. This is due to the updateuserprofile function in controllers/flutter-user.php processing the 'metadata' JSON parameter without any allowlist, blocklist, or validatio...

4.3CVSS0.00226EPSS
Exploits0References8
ATTACKERKB
ATTACKERKB
added 2026/04/09 2:25 a.m.2 views

CVE-2026-3568

The MStore API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.18.3. This is due to the updateuserprofile function in controllers/flutter-user.php processing the 'metadata' JSON parameter without any allowlist, blocklist, or validatio...

4.3CVSS6AI score0.00226EPSS
Exploits0References9
Vulnrichment
Vulnrichment
added 2026/04/09 2:25 a.m.1 views

CVE-2026-3568 MStore API <= 4.18.3 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Meta Update

The MStore API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.18.3. This is due to the updateuserprofile function in controllers/flutter-user.php processing the 'metadata' JSON parameter without any allowlist, blocklist, or validatio...

4.3CVSS6AI score0.00226EPSS
Exploits0References8
Cvelist
Cvelist
added 2026/04/09 2:25 a.m.32 views

CVE-2026-3568 MStore API <= 4.18.3 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Meta Update

The MStore API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.18.3. This is due to the updateuserprofile function in controllers/flutter-user.php processing the 'metadata' JSON parameter without any allowlist, blocklist, or validatio...

4.3CVSS0.00226EPSS
Exploits0References8
CVE
CVE
added 2026/04/09 2:25 a.m.15 views

CVE-2026-3568

CVE-2026-3568 affects the WordPress MStore API plugin up to version 4.18.3. The root cause is in update_user_profile() processing the raw JSON field 'meta_data' without validation, allowlisting, or sanitization, and then applying arbitrary keys/values to update_user_meta() after cookie-based auth...

4.3CVSS6AI score0.00226EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/04/09 12:0 a.m.8 views

PT-2026-31567

Name of the Vulnerable Software and Affected Versions MStore API plugin for WordPress versions up to and including 4.18.3 Description The MStore API plugin for WordPress is susceptible to an Insecure Direct Object Reference issue. This stems from the update user profile function within...

4.3CVSS5.8AI score0.00226EPSS
Exploits0References12
EUVD
EUVD
added 2026/04/08 6:31 a.m.4 views

EUVD-2026-20043

The Users manager – PN plugin for WordPress is vulnerable to Privilege Escalation via Arbitrary User Meta Update in all versions up to and including 1.1.15. This is due to a flawed authorization logic check in the userspnajaxnoprivserver function within the 'userspnformsave' case. The conditional...

9.8CVSS6.1AI score0.00889EPSS
Exploits0References13
NVD
NVD
added 2026/04/08 5:16 a.m.10 views

CVE-2026-4003

The Users manager – PN plugin for WordPress is vulnerable to Privilege Escalation via Arbitrary User Meta Update in all versions up to and including 1.1.15. This is due to a flawed authorization logic check in the userspnajaxnoprivserver function within the 'userspnformsave' case. The conditional...

9.8CVSS0.00889EPSS
Exploits0References12
Vulnrichment
Vulnrichment
added 2026/04/08 3:36 a.m.1 views

CVE-2026-4003 Users manager – PN <= 1.1.15 - Unauthenticated Privilege Escalation via Account Takeover via 'userspn_form_save' AJAX Action

The Users manager – PN plugin for WordPress is vulnerable to Privilege Escalation via Arbitrary User Meta Update in all versions up to and including 1.1.15. This is due to a flawed authorization logic check in the userspnajaxnoprivserver function within the 'userspnformsave' case. The conditional...

9.8CVSS6.1AI score0.00889EPSS
Exploits0References12
Cvelist
Cvelist
added 2026/04/08 3:36 a.m.21 views

CVE-2026-4003 Users manager – PN <= 1.1.15 - Unauthenticated Privilege Escalation via Account Takeover via 'userspn_form_save' AJAX Action

The Users manager – PN plugin for WordPress is vulnerable to Privilege Escalation via Arbitrary User Meta Update in all versions up to and including 1.1.15. This is due to a flawed authorization logic check in the userspnajaxnoprivserver function within the 'userspnformsave' case. The conditional...

9.8CVSS0.00889EPSS
Exploits0References12
Positive Technologies
Positive Technologies
added 2026/04/08 12:0 a.m.2 views

PT-2026-31078

Name of the Vulnerable Software and Affected Versions Users manager – PN plugin for WordPress versions up to and including 1.1.15 Description The Users manager – PN plugin for WordPress is susceptible to a privilege escalation issue due to a flaw in authorization logic. Specifically, the userspn...

9.8CVSS5.8AI score0.00889EPSS
Exploits0References22
Patchstack
Patchstack
added 2026/04/07 10:39 p.m.9 views

WordPress Link Whisper Free plugin < 0.9.1 - Unauthenticated Settings and User Meta Update vulnerability

Unauthenticated Settings and User Meta Update vulnerability discovered by yiğit ibrahim sağlam in WordPress Plugin Link Whisper Free versions 0.9.1...

6.5CVSS5.9AI score0.00186EPSS
Exploits1References1Affected Software1
CVE
CVE
added 2026/04/07 6:0 a.m.14 views

CVE-2026-1900

The CVE-2026-1900 entry relates to the WordPress plugin Link Whisper Free (versions prior to 0.9.1). A publicly accessible REST endpoint allows unauthenticated users to update settings, which is the root cause of the vulnerability. Impact is described as unauthenticated settings updates; practica...

6.5CVSS5.9AI score0.00186EPSS
Exploits1References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/03/21 3:27 a.m.2 views

CVE-2026-4261

The Expire Users plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2.2. This is due to the plugin allowing a user to update the 'onexpiredefaulttorole' meta through the 'saveextrauserprofilefields' function. This makes it possible for authenticated...

8.8CVSS5.8AI score0.00253EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/02/26 2:23 a.m.4 views

CVE-2026-1779 User Registration & Membership <= 5.1.2 - Authentication Bypass

The User Registration & Membership plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.1.2. This is due to incorrect authentication in the 'registermember' function. This makes it possible for unauthenticated attackers to log in a newly registered user ...

8.1CVSS5.3AI score0.00335EPSS
Exploits0References2
CVE
CVE
added 2026/02/26 2:23 a.m.20 views

CVE-2026-1779

The vulnerability CVE-2026-1779 affects the WordPress plugin User Registration & Membership (UP to version 5.1.2). The root cause is an incorrect authentication path in the register_member function, enabling unauthenticated attackers to log in a newly registered user who has the urm_user_just_cre...

8.1CVSS5.3AI score0.00335EPSS
Exploits0References2
Rows per page
Query Builder