52 matches found
CVE-2026-12271 Tutor LMS < 3.9.13 - Subscriber+ Arbitrary Quiz Attempt Modification via IDOR
The Tutor LMS WordPress plugin before 3.9.13 does not verify ownership of the targeted quiz attempt before writing to it, allowing authenticated users with subscriber-level access and above to modify and force-complete other students' quiz attempts, overwriting their recorded marks and pass/fail...
CVE-2026-6804
Technical details about CVE-2026-6804 are not publicly available in the provided documents. Monitor for updates for affected versions, impact, and remediation as connected docs are not supplied.
WordPress WPCafe – Restaurant Menu, Online Food Ordering & Table Booking System plugin <= 3.0.14 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification vulnerability
Missing Authorization to Authenticated Subscriber+ Arbitrary Modification vulnerability discovered by Sushi Com Abacate in WordPress Plugin WPCafe versions = 3.0.14...
CVE-2026-12134 JoomSport <= 5.7.8 - Authenticated (Subscriber+) Missing Authorization to Arbitrary Group Creation/Modification via season_groupedit AJAX action
The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.7.8. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...
WordPress Motors – Car Dealership & Classified Listings Plugin plugin <= 1.4.111 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Modification vulnerability
Missing Authorization to Authenticated Subscriber+ Arbitrary Post Meta Modification vulnerability discovered by Michael Perla vizen5 - clixhouse in WordPress Plugin Motors versions = 1.4.111...
CVE-2026-9233 Quiz and Survey Master (QSM) <= 11.1.4 - Missing Authorization to Authenticated (Contributor+) Arbitrary Modification via qsm_insert_quiz_template AJAX Action
The Quiz and Survey Master QSM – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 11.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...
WordPress Reviews and Rating – Docplanner plugin <= 1.1.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification vulnerability
Missing Authorization to Authenticated Subscriber+ Arbitrary Modification vulnerability discovered by Benedictus Jovan aillesiM in WordPress Plugin Reviews and Rating – Docplanner versions = 1.1.4...
WordPress PressPrimer Quiz – AI Quiz Maker, Exam Builder & LMS Assessment Plugin plugin <= 2.3.0 - Insecure Direct Object Reference to Authenticated (Custom+) Arbitrary Modification vulnerability
Insecure Direct Object Reference to Authenticated Custom+ Arbitrary Modification vulnerability discovered by Truong Tran in WordPress Plugin PressPrimer Quiz – AI Quiz Maker, Exam Builder & LMS Assessment Plugin versions = 2.3.0...
WordPress Classified Listing – AI-Powered Classified ads & Business Directory Plugin plugin <= 5.3.10 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification vulnerability
Missing Authorization to Authenticated Subscriber+ Arbitrary Modification vulnerability discovered by momopon1415 in WordPress Plugin Classified Listing versions = 5.3.10...
WordPress FundPress – WordPress Donation Plugin plugin <= 2.0.8 - Missing Authorization to Unauthenticated Arbitrary Donation Status Modification vulnerability
Missing Authorization to Unauthenticated Arbitrary Donation Status Modification vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin FundPress versions = 2.0.8...
WordPress Responsive Blocks – Page Builder for Blocks & Patterns plugin 2.0.9-2.2.1 - Missing Authorization to Authenticated (Contributor+) Arbitrary Modification vulnerability
Missing Authorization to Authenticated Contributor+ Arbitrary Modification vulnerability discovered by Even S in WordPress Plugin Responsive Blocks versions 2.0.9-2.2.1...
WordPress Ziggeo plugin <= 3.1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via 'ziggeo_ajax' AJAX Action vulnerability
Missing Authorization to Authenticated Subscriber+ Arbitrary Modification via 'ziggeoajax' AJAX Action vulnerability discovered by Nabil Irawan - Heroes Cyber Security in WordPress Plugin Ziggeo versions = 3.1.1...
CVE-2026-4127 Speedup Optimization <= 1.5.9 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update via 'speedup01_enabled' AJAX Action
The Speedup Optimization plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.5.9. The speedup01ajaxenabled function, which handles the wpajaxspeedup01enabled AJAX action, does not perform any capability check via currentusercan and also lacks nonce...
CVE-2026-4127
CVE-2026-4127: The Speedup Optimization WordPress plugin is vulnerable up to version 1.5.9 due to Missing Authorization in the speedup01_ajax_enabled() AJAX handler, which lacks current_user_can() checks and nonce verification. This differs from other handlers in the same plugin and enables authe...
CVE-2026-4127 Speedup Optimization <= 1.5.9 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update via 'speedup01_enabled' AJAX Action
The Speedup Optimization plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.5.9. The speedup01ajaxenabled function, which handles the wpajaxspeedup01enabled AJAX action, does not perform any capability check via currentusercan and also lacks nonce...
WordPress RockPress plugin <= 1.0.17 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via AJAX Actions vulnerability
Missing Authorization to Authenticated Subscriber+ Arbitrary Modification via AJAX Actions vulnerability discovered by Poli - CMC Global in WordPress Plugin RockPress versions = 1.0.17...
WordPress MyRewards plugin <= 5.6.1 - Broken Access Control vulnerability
Broken Access Control vulnerability discovered by Tharadol Suksamran d3kc4rt1 in WordPress Plugin MyRewards versions = 5.6.1...
GO-2025-4220 memos vulnerability allows arbitrarily modification or deletion registered identity providers in github.com/usememos/memos
memos vulnerability allows arbitrarily modification or deletion registered identity providers in github.com/usememos/memos...
CVE-2025-14003 Image Gallery – Photo Grid & Video Gallery <= 2.13.3 - Missing Authorization to Authenticated (Author+) Arbitrary Gallery Modification
The Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the addimagestogallerycallback function in all versions up to, and including, 2.13.3. This makes it possible for authenticated attackers, wit...
CVE-2025-60354
Unauthorized modification of arbitrary articles vulnerability exists in blog-vue-springboot...