CVE-2026-4373 JetFormBuilder <= 3.5.6.2 - Unauthenticated Arbitrary File Read via Media Field

The JetFormBuilder plugin for WordPress is vulnerable to arbitrary file read via path traversal in all versions up to, and including, 3.5.6.2. This is due to the 'UploadedFile::setfromarray' method accepting user-supplied file paths from the Media Field preset JSON payload without validating that...

CVE-2025-67973

CVE-2025-67973 describes a Missing Authorization (Broken Access Control) issue in the WordPress plugin Sunshine Photo Cart, affecting Sunshine Photo Cart up to version 3.5.6.2. Public reports from Red Hat and NVD corroborate a misconfigured access control allowing unauthorized access within Sunsh...

CVE-2025-67973 WordPress Sunshine Photo Cart plugin <= 3.5.6.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sunshine Photo Cart: from n/a through = 3.5.6.2...

WordPress Sunshine Photo Cart plugin <= 3.5.6.2 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin Sunshine Photo Cart versions = 3.5.6.2...

CVE-2025-67939 WordPress Tickera plugin <= 3.5.6.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Tickera Tickera tickera-event-ticketing-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tickera: from n/a through = 3.5.6.2...