Lucene search
+L

8818 matches found

Nuclei
Nuclei
added 14 hours ago27 views

WordPress Automatic Plugin - Unauthenticated Options Change

WordPress Automatic Plugin versions 3.53.2 and below contains a critical vulnerability that allows unauthenticated users to change arbitrary WordPress options through the processform.php script. The vulnerable script uses updateoption on all POST parameters without authentication or capability...

9.8CVSS8.5AI score0.16408EPSS
Exploits3References2
Nuclei
Nuclei
added 14 hours ago67 views

The Plus Addons for Elementor Page Builder < 4.1.7 - Authentication Bypass

The Plus Addons for Elementor plugin before version 4.1.7 allowed attackers to bypass authentication, gain admin access, and create accounts with elevated roles, even when registration was disabled and the Login widget was inactive. id: CVE-2021-24175 info: name: The Plus Addons for Elementor Pag...

9.8CVSS8.3AI score0.14462EPSS
Exploits3References2
Nuclei
Nuclei
added 14 hours ago160 views

SureTriggers – All-in-One Automation Platform ≤ 1.0.78 - Authentication Bypass

The SureTriggers- All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the 'secretkey' value in the 'autheticateuser' function in all versions up to, and including, 1.0.78. Th...

8.1CVSS8.1AI score0.7568EPSS
Exploits8References4
Nuclei
Nuclei
added 14 hours ago21 views

Contact Form Plugin by Fluent Forms < 5.1.17 - Unauthenticated Limited Privilege Escalation

The plugin is vulnerable to privilege escalation due to a missing capability check on the /wp-json/fluentform/v1/managers REST API endpoint. This makes it possible for unauthenticated attackers to grant users with Fluent Form management permissions which gives them access to all of the plugin's...

9.8CVSS5.3AI score0.02333EPSS
Exploits1References3
Nuclei
Nuclei
added 14 hours ago15 views

ZimaOS - Authentication Bypass

ZimaOS = 1.5.0 contains a broken authentication caused by improper password validation for known system service accounts in the login function, letting attackers authenticate with any password for these accounts, exploit requires knowledge of common usernames. id: CVE-2026-21891 info: name: ZimaO...

9.8CVSS5.3AI score0.02169EPSS
Exploits1References2
Nuclei
Nuclei
added 14 hours ago13 views

HT Mega – Absolute Addons for Elementor <= 2.2.0 - Missing Authorization to Privilege Escalation

The HT Mega plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.2.0. This is due to missing validation of the regrole parameter on the htmegaajaxregister function. This makes it possible for unauthenticated attackers to create administrator accounts. id...

9.8CVSS5.6AI score0.03183EPSS
Exploits0References4
EUVD
EUVD
added yesterday7 views

EUVD-2026-45235

IBM Langflow OSS 1.0.0 through 1.10.0 allows unauthenticated attackers to create unlimited user accounts on any Langflow instance; when NEWUSERISACTIVE=true documented deployment option, newly created accounts are immediately active and can authenticate to reach RCE endpoints, bypassing the need...

9.8CVSS5.3AI score
Exploits0References1
CVE
CVE
added yesterday17 views

CVE-2026-9202

CVE-2026-9202 affects IBM Langflow OSS versions 1.0.0–1.10.0. Unauthenticated attackers can create unlimited user accounts; if NEW_USER_IS_ACTIVE is true, new accounts are immediately active and can authenticate to reach RCE endpoints, bypassing AUTO_LOGIN. IBM CVSS v3.1 base score 9.8 (CRITICAL)...

9.8CVSS5.3AI score
Exploits0References1
Cvelist
Cvelist
added yesterday40 views

CVE-2026-9202 Unauthenticated User Registration Could Lead to Remote Code Execution

IBM Langflow OSS 1.0.0 through 1.10.0 allows unauthenticated attackers to create unlimited user accounts on any Langflow instance; when NEWUSERISACTIVE=true documented deployment option, newly created accounts are immediately active and can authenticate to reach RCE endpoints, bypassing the need...

9.8CVSS
Exploits0References1
Vulnrichment
Vulnrichment
added yesterday5 views

CVE-2026-9202 Unauthenticated User Registration Could Lead to Remote Code Execution

IBM Langflow OSS 1.0.0 through 1.10.0 allows unauthenticated attackers to create unlimited user accounts on any Langflow instance; when NEWUSERISACTIVE=true documented deployment option, newly created accounts are immediately active and can authenticate to reach RCE endpoints, bypassing the need...

9.8CVSS5.3AI score
Exploits0References1
NVD
NVD
added yesterday8 views

CVE-2026-16072

A flaw was found in the organization management component of Keycloak. A delegated administrator with permission to manage organizations can create an invitation for a non-existent email address and then retrieve the secret registration link directly through the application programming interface...

4.9CVSS
Exploits0References2
EUVD
EUVD
added yesterday8 views

EUVD-2024-55667

HCL Aftermarket EPC is vulnerable to attack since It was found that a malicious actor can use brute-force techniques to either guess or confirm valid users in the system. Use renumeration is when a malicious actor can use brute-force techniques to either guess or confirm valid users in a system...

5.3CVSS5.3AI score
Exploits0References1
CVE
CVE
added yesterday8 views

CVE-2024-23574

The CVE-2024-23574 entry concerns HCL Aftermarket EPC. The vulnerability is described as allowing brute-force attempts to guess or confirm valid users, indicating a credential-guessing issue with user authentication. The associated CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) yields a ba...

5.3CVSS5.3AI score
Exploits0References1
NVD
NVD
added yesterday6 views

CVE-2026-11966

The User Registration & Membership WordPress plugin before 5.2.3 does not perform a capability check for unauthenticated callers on one of its membership payment actions and acts on a caller-supplied user identifier, allowing unauthenticated attackers to delete recently-registered, payment-pendin...

5.3CVSS0.00137EPSS
Exploits0References1
EUVD
EUVD
added yesterday6 views

EUVD-2026-45147

The User Registration & Membership WordPress plugin before 5.2.3 does not perform a capability check for unauthenticated callers on one of its membership payment actions and acts on a caller-supplied user identifier, allowing unauthenticated attackers to delete recently-registered, payment-pendin...

5.3CVSS5.3AI score0.00137EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added yesterday5 views

CVE-2026-11966

The User Registration & Membership WordPress plugin before 5.2.3 does not perform a capability check for unauthenticated callers on one of its membership payment actions and acts on a caller-supplied user identifier, allowing unauthenticated attackers to delete recently-registered, payment-pendin...

5.3AI score0.00137EPSS
Exploits0References1
Cvelist
Cvelist
added yesterday36 views

CVE-2026-11966 User Registration & Membership < 5.2.3 - Unauthenticated Limited User Deletion via Stripe Subscription Handler

The User Registration & Membership WordPress plugin before 5.2.3 does not perform a capability check for unauthenticated callers on one of its membership payment actions and acts on a caller-supplied user identifier, allowing unauthenticated attackers to delete recently-registered, payment-pendin...

0.00137EPSS
Exploits0References1
CVE
CVE
added yesterday15 views

CVE-2026-11966

The CVE-2026-11966 entry concerns the WordPress plugin User Registration & Membership (before 5.2.3). The issue is an insufficient capability check for unauthenticated callers on a membership payment action, allowing an unauthenticated attacker to act on a caller-supplied user identifier and dele...

5.3CVSS6.1AI score0.00137EPSS
Exploits0References1
EUVD
EUVD
added yesterday6 views

EUVD-2026-45144

The NEX-Forms WordPress plugin before 9.2.3 does not sanitise and escape some submitted form data before storing it and outputting it back in the admin dashboard, leading to a Stored Cross-Site Scripting vulnerability which could allow unauthenticated users to perform Stored Cross-Site Scripting...

6.1CVSS5.2AI score0.00235EPSS
Exploits0References1
EUVD
EUVD
added yesterday8 views

EUVD-2026-45142

The Aimogen Pro - All-in-One AI Content Writer, Editor, ChatBot & Automation Toolkit plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.8.4. This is due to due to a missing capability check on the 'aiomaticcallgoogleaifunction' function. This makes ...

9.8CVSS6.3AI score0.00294EPSS
Exploits0References2
Rows per page
Query Builder