43 matches found
CVE-2026-6802
The CVE-2026-6802 entry concerns the WordPress plugin Easy Upload Files During Checkout, affected up to version 3.0.1. The vulnerability stems from missing authorization checks in the ufdc_custom_init() function, which processes the eufdc-delete parameter without nonce verification, capability ch...
CVE-2026-57747 WordPress Booked plugin <= 3.0.0 - Cross Site Request Forgery (CSRF) vulnerability
Unauthenticated Cross Site Request Forgery CSRF in Booked = 3.0.0 versions...
CVE-2026-39665
The CVE describes a DOM-Based XSS vulnerability in the WordPress plugin SEO Friendly Images (seo-image) by Vladimir Prelovac, affecting versions from n/a up to 3.0.5. Root cause: Improper neutralization of input during web page generation. Impact stated across sources as cross-site scripting acce...
CVE-2026-5632 assafelovic gpt-researcher HTTP REST API Endpoint missing authentication
A vulnerability was found in assafelovic gpt-researcher up to 3.4.3. This impacts an unknown function of the component HTTP REST API Endpoint. Performing a manipulation results in missing authentication. It is possible to initiate the attack remotely. The exploit has been made public and could be...
CVE-2026-25372 WordPress Academy LMS plugin <= 3.5.3 - Broken Access Control vulnerability
Missing Authorization vulnerability in Kodezen LLC Academy LMS academy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Academy LMS: from n/a through = 3.5.3...
CVE-2026-1412
A vulnerability has been found in Sangfor Operation and Maintenance Security Management System up to 3.0.12. The impacted element is an unknown function of the file /fort/audit/getclipimg of the component HTTP POST Request Handler. Such manipulation of the argument frame/dirno leads to command...
PT-2026-1779
Name of the Vulnerable Software and Affected Versions Sangfor Operation and Maintenance Management System versions up to 3.0.8 Description A remote OS command injection issue exists in the SessionController function within the /isomp-protocol/protocol/session file of the software. Manipulation of...
CVE-2023-4716
The Media Library Assistant plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mlagallery' shortcode in versions up to, and including, 3.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
CVE-2025-67917 WordPress Traveler theme <= 3.2.6 - Broken Access Control vulnerability
Missing Authorization vulnerability in shinetheme Traveler traveler allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Traveler: from n/a through = 3.2.6...
CVE-2025-62078
Missing Authorization vulnerability in Fahad Mahmood Easy Upload Files During Checkout easy-upload-files-during-checkout allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Upload Files During Checkout: from n/a through = 3.0.0...
CVE-2025-62101 WordPress Pardakht Delkhah plugin <= 3.0.0 - Cross Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability in Omid Shamloo Pardakht Delkhah allows Cross Site Request Forgery.This issue affects Pardakht Delkhah: from n/a through 3.0.0...
CVE-2025-14437
The Hummingbird Performance plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.18.0 via the 'request' function. This makes it possible for unauthenticated attackers to extract sensitive data including Cloudflare API credentials...
CVE-2025-14455
CVE-2025-14455 affects Image Photo Gallery Final Tiles Grid for WordPress. Public details in Wordfence report show an authenticated-by-design authorization bypass (Contributor+ and above) for gallery management actions, enabling deletion/modification/cloning of any user galleries. A fix exists in...
EUVD-2025-204263
The Hummingbird Performance plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.18.0 via the 'request' function. This makes it possible for unauthenticated attackers to extract sensitive data including Cloudflare API credentials...
CVE-2025-13846 Easy Map Creator <= 3.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The Easy Map Creator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'width' parameter in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level acces...
CVE-2025-13972 WatchTowerHQ <= 3.15.0 - Authenticated (Administrator+) Arbitrary File Read via 'wht_download_big_object_origin' Parameter
The WatchTowerHQ plugin for WordPress is vulnerable to arbitrary file read via the 'whtdownloadbigobjectorigin' parameter in all versions up to, and including, 3.15.0. This is due to insufficient path validation in the handlebigobjectdownloadrequest function. This makes it possible for...
CVE-2025-12577 Listar – Directory Listing & Classifieds WordPress Plugin <= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) Listing Update
The Listar – Directory Listing & Classifieds WordPress Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/listar/v1/place/save' REST API endpoint in all versions up to, and including, 3.0.0. This makes it possible for...
CVE-2025-64262
CVE-2025-64262 is a CSRF vulnerability in the WordPress plugin Auto Prune Posts (versions
CVE-2025-62911 WordPress Rock Convert plugin <= 3.0.1 - Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Rock Content Rock Convert rock-convert allows Stored XSS.This issue affects Rock Convert: from n/a through = 3.0.1...
CVE-2025-49913 WordPress CoSchedule plugin <= 3.4.0 - Broken Access Control vulnerability
Missing Authorization vulnerability in CoSchedule CoSchedule coschedule-by-todaymade allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CoSchedule: from n/a through = 3.4.0...