24 matches found
EUVD-2026-32722
The Meta Field Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.5.1. This is due to the plugin allowing users to specify arbitrary object IDs and object types via block attributes without validating whether the authenticated user...
CVE-2026-3594 Riaxe Product Customizer <= 2.4 - Unauthenticated Sensitive Information Disclosure via '/orders' REST API Endpoint
The Riaxe Product Customizer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4 via the '/wp-json/InkXEProductDesignerLite/orders' REST API endpoint. The endpoint is registered with 'permissioncallback' set to 'returntrue', meaning no...
CVE-2026-3594
The Riaxe Product Customizer plugin for WordPress (
CVE-2026-1004
The Essential Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 6.5.5 via the 'eaelproductquickviewpopup' function. This makes it possible for unauthenticated attackers to retrieve WooCommerce product information for...
CVE-2026-1004
The Essential Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 6.5.5 via the 'eaelproductquickviewpopup' function. This makes it possible for unauthenticated attackers to retrieve WooCommerce product information for...
CVE-2026-1004 Essential Addons for Elementor <= 6.5.5 - Missing Authorization to Unauthenticated Sensitive Information Exposure
The Essential Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 6.5.5 via the 'eaelproductquickviewpopup' function. This makes it possible for unauthenticated attackers to retrieve WooCommerce product information for...
PT-2026-3237
The Essential Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 6.5.5 via the 'eael product quickview popup' function. This makes it possible for unauthenticated attackers to retrieve WooCommerce product information for...
EUVD-2025-203187
The GenerateBlocks plugin for WordPress is vulnerable to information exposure due to missing object-level authorization checks in versions up to, and including, 2.1.2. This is due to the plugin registering multiple REST API routes under generateblocks/v1/meta/ that gate access with...
CVE-2025-13606 Export All Posts, Products, Orders, Refunds & Users <= 2.19 - Cross-Site Request Forgery to Sensitive Information Exposure
The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.19. This is due to missing or incorrect nonce validation on the parseData function. This makes it possible for unauthenticated attackers...
EUVD-2025-200180
The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.19. This is due to missing or incorrect nonce validation on the parseData function. This makes it possible for unauthenticated attackers...
CVE-2025-13606 Export All Posts, Products, Orders, Refunds & Users <= 2.19 - Cross-Site Request Forgery to Sensitive Information Exposure
The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.19. This is due to missing or incorrect nonce validation on the parseData function. This makes it possible for unauthenticated attackers...
CVE-2025-13606
The WordPress plugin WP Ultimate Exporter (Export All Posts, Products, Orders, Refunds & Users) is affected by Cross‑Site Request Forgery up to version 2.19 due to missing or incorrect nonce validation in parseData, enabling unauthenticated attackers to exfiltrate sensitive data (including user d...
CVE-2025-12639
The wModes – Catalog Mode, Product Pricing, Enquiry Forms & Promotions plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.2.2. This is due to the plugin not properly verifying that a user is authorized to access sensitive information via the AJAX...
CVE-2025-13085
CVE-2025-13085 affects SiteSEO – SEO Simplified for WordPress (versions
CVE-2025-13085 SiteSEO – SEO Simplified <= 1.3.2 - Insecure Direct Object Reference to Sensitive Post Meta Disclosure
The SiteSEO – SEO Simplified plugin for WordPress is vulnerable to Improper Authorization leading to Sensitive Post Meta Disclosure in versions up to and including 1.3.2. This is due to missing object-level authorization checks in the resolvevariables AJAX handler. This makes it possible for...
CVE-2025-13085 SiteSEO – SEO Simplified <= 1.3.2 - Insecure Direct Object Reference to Sensitive Post Meta Disclosure
The SiteSEO – SEO Simplified plugin for WordPress is vulnerable to Improper Authorization leading to Sensitive Post Meta Disclosure in versions up to and including 1.3.2. This is due to missing object-level authorization checks in the resolvevariables AJAX handler. This makes it possible for...
PT-2025-47443
The SiteSEO – SEO Simplified plugin for WordPress is vulnerable to Improper Authorization leading to Sensitive Post Meta Disclosure in versions up to and including 1.3.2. This is due to missing object-level authorization checks in the resolve variables AJAX handler. This makes it possible for...
EUVD-2025-197961
The wModes – Catalog Mode, Product Pricing, Enquiry Forms & Promotions plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.2.2. This is due to the plugin not properly verifying that a user is authorized to access sensitive information via the AJAX...
CVE-2025-12639
The wModes – Catalog Mode, Product Pricing, Enquiry Forms & Promotions plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.2.2. This is due to the plugin not properly verifying that a user is authorized to access sensitive information via the AJAX...
CVE-2025-12639 wModes – Catalog Mode, Product Pricing, Enquiry Forms & Promotions | for WooCommerce <= 1.2.2 - Missing Authorization to Sensitive Information Disclosure
The wModes – Catalog Mode, Product Pricing, Enquiry Forms & Promotions plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.2.2. This is due to the plugin not properly verifying that a user is authorized to access sensitive information via the AJAX...