136 matches found
CVE-2026-12097
The CVE covers the WordPress User Management plugin (versions up to and including 1.2). Affected component: the plugin’s authorization flow; root cause is improper verification of a user’s permission, enabling an authorization bypass. Impact: unauthenticated attackers can modify the plugin’s expo...
CVE-2026-57334
Unauthenticated Broken Access Control in WP User Frontend = 4.3.7 versions...
EUVD-2026-40105
Unauthenticated Broken Access Control in WP User Frontend = 4.3.7 versions...
CVE-2026-9242 RegistrationMagic <= 6.0.8.6 - Authenticated (Subscriber+) Authentication Bypass via Forged PayPal IPN Request
The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to Authentication Bypass via Insufficient Verification of Data Authenticity in all versions up to and including 6.0.8.6. This is due to the PayPal IPN callback handler...
CVE-2026-49766
Subscriber Arbitrary File Deletion in WP User Manager = 2.9.16 versions...
CVE-2026-49766
CVE-2026-49766 affects the WordPress plugin WP User Manager (versions ≤ 2.9.16). The vulnerability is described as an Arbitrary File Deletion issue reported for subscribers. The available metrics indicate a CRITICAL impact (CVSS 3.1: 9.9; NETWORK attack vector; LOW privileges required; no user in...
WordPress WP User Manager – User Profile Builder & Membership plugin <= 2.9.17 - Unauthenticated Path Traversal to Local File Inclusion vulnerability
Unauthenticated Path Traversal to Local File Inclusion vulnerability discovered by Yat in WordPress Plugin WP User Manager versions = 2.9.17...
WordPress User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin <= 4.3.2 - Missing Authorization to Authenticated (Subscriber+) Subscription Pack Cancellation vulnerability
Missing Authorization to Authenticated Subscriber+ Subscription Pack Cancellation vulnerability discovered by Supakiad S. m3ez - E-CQURITY Thailand in WordPress Plugin WP User Frontend versions = 4.3.2...
EUVD-2026-34928
The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.17 via the profile template scope function. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files...
CVE-2026-9290
The affected product is the WordPress plugin “WP User Manager – User Profile Builder & Membership.” CVE-2026-9290 describes a Local File Inclusion (LFI) vulnerability in all versions up to and including 2.9.17, exploitable via the profile template scope function. This allows unauthenticated attac...
CVE-2026-6506
The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.1.2. This is due to the infusedwoogdprupddata function missing authorization and capability checks, as well as lacking restrictions on which user meta keys can be updated. This...
CVE-2026-8995 Poll Maker by AYS <= 6.3.7 - Authenticated (Subscriber+) Sensitive Information Exposure in 'ays_poll_get_user_information' AJAX Action
The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to and including 6.3.7. This is due to insufficient access controls on the 'ayspollgetuserinformation' AJAX action, which serializes and returns the...
Exploit for CVE-2026-6741
CVE-2026-6741 CVE-2026-6741 is a CVSS 8.8 High Authenticated...
Exploit for CVE-2026-5118
CVE-2026-5118 — Divi Form Builder roles && !isset$rolesobj-...
WordPress User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin <= 5.1.5 - Unauthenticated Missing Authorization to Admin Approval Bypass vulnerability
Unauthenticated Missing Authorization to Admin Approval Bypass vulnerability discovered by Anthony Cihan Hann1bl3L3ct3r - Obviam in WordPress Plugin User Registration versions = 5.1.5...
CVE-2026-7652 LatePoint <= 5.5.0 - Unauthenticated Account Takeover via Weak Password Recovery Mechanism
The LatePoint plugin for WordPress is vulnerable to Account Takeover via Weak Password Recovery Mechanism in the unauthenticated guest booking flow in versions up to, and including, 5.5.0 This is due to the saveconnectedwordpressuser function propagating a LatePoint customer's email address to it...
CVE-2026-7652
The LatePoint WordPress plugin (up to version 5.5.0) is vulnerable to Account Takeover via a Weak Password Recovery Mechanism in the unauthenticated guest booking flow. The root cause is save_connected_wordpress_user() propagating a LatePoint customer’s email to its linked WordPress user via wp_u...
WordPress plugin LatePoint 授权问题漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...
CVE-2026-42412
Missing Authorization vulnerability in weDevs WP User Frontend allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP User Frontend: from n/a through 4.3.1...
EUVD-2026-26195
Missing Authorization vulnerability in weDevs WP User Frontend allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP User Frontend: from n/a through 4.3.1...