EUVD-2026-32101

The Livemesh Addons for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the labbadminajax AJAX action in all versions up to, and including, 3.9.2 due to missing authorization checks and insufficient input sanitization. The AJAX handler verifies a nonce but doe...

EUVD-2025-197688

The Contest Gallery plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 28.0.2. This is due to the plugin registering the cgcheckwpadminuploadv10 AJAX action for both authenticated and unauthenticated users without implementing capability checks or non...

PT-2024-37800 · WordPress · Oxygen Builder

Name of the Vulnerable Software and Affected Versions: Oxygen Builder plugin for WordPress versions up to, and including, 4.8.3 Description: The issue is related to a missing capability check on the oxy save css from admin AJAX action. This makes it possible for authenticated attackers, with...

CVE-2022-46953

Dynamic Transaction Queuing System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/ajax.php?action=savewindow...

Files Download Delay < 1.0.7 - Subscriber+ Settings Reset

The plugin does not have authorisation and CSRF checks when reseting its settings, which could allow any authenticated users, such as subscriber to perform such action. https://example.com/wp-admin/admin-ajax.php?action=ddlayrestoredefaults...