Lucene search
K

5 matches found

Nuclei
Nuclei
added yesterday13 views

HT Mega < 3.0.7 - Sensitive Information Disclosure

The HT Mega plugin for WordPress is vulnerable to Sensitive Information Exposure via AJAX actions. This template dynamically extracts the security nonce before exploitation. id: CVE-2026-4106 info: name: HT Mega 3.0.7 - Sensitive Information Disclosure author: EFETR severity: high description: |...

5.3CVSS5.9AI score0.00742EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/01/14 5:28 a.m.6 views

CVE-2025-14464 PDF Resume Parser <= 1.0 - Unauthenticated Sensitive Information Disclosure in SMTP Credentials

The PDF Resume Parser plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0. This is due to the plugin registering an AJAX action handler that is accessible to unauthenticated users and exposes SMTP configuration data including credentials...

5.3CVSS5.7AI score0.00323EPSS
Exploits0References3
Cvelist
Cvelist
added 2025/11/11 3:30 a.m.8 views

CVE-2025-11986 Crypto Tool <= 2.22 - Unauthenticated Information Exposure via Global Authentication State

The Crypto plugin for WordPress is vulnerable to Information exposure in all versions up to, and including, 2.22. This is due to the plugin registering an unauthenticated AJAX action wpajaxnoprivcryptoconnectajaxprocess that allows calling the register and savenft methods with only a...

5.3CVSS0.00331EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2025/11/05 5:8 a.m.6 views

CVE-2025-11758

The All in One Time Clock Lite plugin for WordPress is vulnerable to unauthorized access due to a missing authorization check in all versions up to, and including, 2.0.3. This is due to the plugin exposing admin-level AJAX actions to unauthenticated users via wpajaxnopriv hooks, while relying onl...

6.5CVSS5.3AI score0.00249EPSS
Exploits0References1
OSV
OSV
added 2022/04/25 4:16 p.m.2 views

CVE-2022-0287

The myCred WordPress plugin before 2.4.4.1 does not have any authorisation in place in its mycred-tools-select-user AJAX action, allowing any authenticated user, such as subscriber to call and retrieve all email addresses from the blog...

4.3CVSS5.8AI score0.00752EPSS
Exploits1References1
Rows per page
Query Builder