CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

19 matches found

Cvelist•added 2026/04/09 1:25 a.m.•23 views

CVE-2026-4326 Vertex Addons for Elementor <= 1.6.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation and Activation via 'afeb_activate_required_plugins'

The Vertex Addons for Elementor plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.6.4. This is due to improper authorization enforcement in the activaterequiredplugins function. Specifically, the currentusercan'installplugins' capability check does...

8.8CVSS0.00046EPSS

Exploits0References10

CNNVD•added 2025/12/12 12:0 a.m.•1 views

WordPress plugin Construction Light 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security vulnerabili...

4.3CVSS6.6AI score0.00019EPSS

Exploits0References1

EUVD•added 2025/10/03 8:7 p.m.•3 views

EUVD-2023-27982

Malicious code in bioql PyPI...

4.3CVSS5.1AI score0.00097EPSS

Exploits0References1

RedhatCVE•added 2025/05/23 5:12 a.m.•4 views

CVE-2023-23899

Cross-Site Request Forgery CSRF vulnerability in HasThemes Extensions For CF7 plugin = 2.0.8 versions leads to arbitrary plugin activation...

4.3CVSS7.2AI score0.00097EPSS

Exploits0References1

Cvelist•added 2024/05/17 6:42 a.m.•13 views

CVE-2023-32129 WordPress Editorialmag theme <= 1.1.9 - Authenticated Arbitrary Plugin Activation

Missing Authorization vulnerability in Sparkle WP Editorialmag editorialmag.This issue affects Editorialmag: from n/a through 1.1.9...

4.3CVSS4.7AI score0.00177EPSS

Exploits0References1

Vulnrichment•added 2024/05/17 6:42 a.m.•18 views

CVE-2023-32129 WordPress Editorialmag theme <= 1.1.9 - Authenticated Arbitrary Plugin Activation

Missing Authorization vulnerability in Sparkle WP Editorialmag editorialmag.This issue affects Editorialmag: from n/a through 1.1.9...

4.3CVSS7AI score0.00177EPSS

Exploits0References1

Patchstack•added 2024/04/22 10:55 a.m.•2 views

WordPress ARForms plugin <= 6.4 - Subscriber+ Arbitrary Plugin Activation/Deactivation Vulnerability

Subscriber+ Arbitrary Plugin Activation/Deactivation Vulnerability discovered by Dave Jong Patchstack in WordPress Plugin ARForms versions = 6.4...

8.8CVSS6.9AI score0.00402EPSS

Exploits0Affected Software1

Cvelist•added 2023/03/27 3:37 p.m.•11 views

CVE-2023-0497 HT Portfolio < 1.1.6 - Arbitrary Plugin Activation via CSRF

The HT Portfolio WordPress plugin before 1.1.6 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack...

5AI score0.00135EPSS

Exploits2References1

wpexploit•added 2023/02/28 12:0 a.m.•159 views

WP Plugin Manager < 1.1.8 - Arbitrary Plugin Activation via CSRF

The plugin does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack fetch'https://example.com/wp-admin/admin-ajax.php', method: 'POST', headers: new Headers 'Content-Type':...

4.3CVSS5.6AI score0.00106EPSS

Exploits2

WPVulnDB•added 2023/02/28 12:0 a.m.•25 views

WP Plugin Manager < 1.1.8 - Arbitrary Plugin Activation via CSRF

The plugin does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack PoC fetch'https://example.com/wp-admin/admin-ajax.php', method: 'POST', headers: new Headers 'Content-Type':...

4.3CVSS5.4AI score0.00106EPSS

Exploits2Affected Software1

wpexploit•added 2023/02/28 12:0 a.m.•115 views

WP Film Studio < 1.3.5 - Arbitrary Plugin Activation via CSRF

The plugin does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack activate woocommerce plugin exploit: fetch'http://localhost/wp-admin/admin-ajax.php', method: 'POST', headers: new...

6.5CVSS6.9AI score0.00144EPSS

Exploits2

wpexploit•added 2023/02/28 12:0 a.m.•88 views

Coupon Zen < 1.0.6 - Arbitrary Plugin Activation via CSRF

4.3CVSS5.2AI score0.00097EPSS

Exploits2

WPVulnDB•added 2022/04/27 12:0 a.m.•11 views

Coru LFMember <= 1.0.2 - Arbitrary Game Deletion/Activation via CSRF

The plugin does not have CSRF in place when deleting and activating games, which could allow attacker to make a logged in admin perform such actions PoC...

4.3AI score

Exploits0Affected Software1

Patchstack•added 2022/01/28 12:0 a.m.•12 views

WordPress Accesspress Mag theme <= 2.6.5 - Authenticated Arbitrary Plugin Activation/Deactivation vulnerability

Authenticated Arbitrary Plugin Activation/Deactivation vulnerability discovered by Ex.Mi Patchstack in WordPress Accesspress Mag theme versions = 2.6.5. Solution Deactivate and delete. The vendor ignores the vulnerability reports, avoids any conversation...

3.8AI score

Exploits0References3Affected Software1

WPVulnDB•added 2022/01/24 12:0 a.m.•8 views

Catch Web Tools < 2.7.1 - Subscriber+ Arbitrary Catch IDs Activation/Deactivation

The plugin does not have authorisation and CSRF check in its catchwebtoolscatchidsswitch AJAX action, allowing any authenticated users, such as subscriber to activate/disable Catch IDs PoC fetch"https://example.com/wp-admin/admin-ajax.php", "headers": "content-type":...

2.8AI score

Exploits0References1Affected Software1

Patchstack•added 2022/01/24 12:0 a.m.•10 views

WordPress Classic Editor Addon plugin <= 2.6.3 - Arbitrary Plugin Activation vulnerability

Arbitrary Plugin Activation vulnerability discovered by Jan w Oleju in WordPress Classic Editor Addon plugin versions = 2.6.3. Solution Update the WordPress Classic Editor Addon plugin to the latest available version at least 2.6.4...

3.3AI score

Exploits0References2Affected Software1

Patchstack•added 2021/10/19 12:0 a.m.•11 views

WordPress Download Plugin plugin <= 1.6.0 - Arbitrary Plugin Activation vulnerability

Arbitrary Plugin Activation vulnerability discovered by apple502j in WordPress Download Plugin plugin versions = 1.6.0. Solution Update the WordPress Download Plugin plugin to the latest available version at least 1.6.1...

5.7CVSS3.8AI score0.00168EPSS

Exploits2References3Affected Software1

NVD•added 2021/05/14 12:15 p.m.•14 views

CVE-2021-24188

Low privileged users can use the AJAX action 'cppluginsdobuttonjoblatercallback' in the WP Content Copy Protection & No Right Click WordPress plugin before 3.1.5, to install any plugin including a specific version from the WordPress repository, as well as activate arbitrary plugin from then blog,...

8.8CVSS0.00659EPSS

Exploits2References1

WPVulnDB•added 2021/04/22 12:0 a.m.•14 views

Multiple WP-Buy Plugins - Arbitrary Plugin Installation/Activation via CSRF

The "cppluginsdobuttonjoblatercallback" AJAX action, from multiple plugins of the WP-Buy vendor, was lacking CSRF check, allowing attackers to make a logged in administrator install and active arbitrary plugins including specific version from the WordPress repository which could lead to more...

5.3AI score

Exploits0Affected Software8

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by