Lucene search
K

305 matches found

Cvelist
Cvelist
added yesterday32 views

CVE-2026-10103 Authenticated remote cluster can modify or delete posts it does not own in Mattermost Connected Workspaces shared channels

Mattermost versions 11.7.x = 11.7.2, 11.6.x = 11.6.4, 10.11.x = 10.11.19 fail to verify post ownership in the shared channel inbound sync handler, which allows an authenticated remote cluster to modify or delete posts authored by local users or other remotes via crafted sync messages referencing...

4.3CVSS0.00145EPSS
Exploits0References1
Cvelist
Cvelist
added yesterday30 views

CVE-2026-12274 Tutor LMS < 3.9.13 - Instructor+ Arbitrary Post Overwrite via IDOR

The Tutor LMS WordPress plugin before 3.9.13 does not verify that the requesting user is allowed to edit a target post before overwriting it in one of its content-builder save handlers, authorizing the request only against an unrelated identifier, allowing authenticated users with instructor-leve...

0.00135EPSS
Exploits0References1
CVE
CVE
added 4 days ago8 views

CVE-2026-1667

The CVE concerns the SEO Plugin by Squirrly SEO for WordPress (up to version 14.0.0) with a vulnerability in savePost() that allows unauthenticated users to create arbitrary posts and, if Advanced Custom Fields is installed, to inject stored XSS scripts. Root cause is a leak of an API token and i...

7.2CVSS6.2AI score0.00186EPSS
Exploits0References2
CVE
CVE
added 5 days ago10 views

CVE-2026-12418

CVE-2026-12418 describes a vulnerability in the WordPress plugin “User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration” (versions up to 4.3.7). An insecure direct object reference exists via the wpuf_files_data parameter due to missing validation on ...

5.3CVSS6AI score0.00243EPSS
Exploits0References8
CVE
CVE
added 2026/07/03 7:53 a.m.17 views

CVE-2026-11900

The CVE-2026-11900 entry concerns the WordPress plugin Ad Inserter – Ad Manager & AdSense Ads up to version 2.8.16. It is vulnerable to an Insecure Direct Object Reference via the shortcodes’ data attribute. The replace_ai_tags() function processes a {reusable-block-N} pattern by calling get_post...

4.3CVSS6AI score0.00273EPSS
Exploits0References10
Cvelist
Cvelist
added 2026/07/01 7:53 a.m.41 views

CVE-2026-10096 Qi Blocks <= 1.4.9 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Style Modification via 'page_id' Parameter

The Qi Blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.4.9 via the 'pageid' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, t...

4.3CVSS0.00196EPSS
Exploits0References5
CVE
CVE
added 2026/07/01 7:53 a.m.15 views

CVE-2026-12435

The Motors – Car Dealership & Classified Listings Plugin for WordPress is affected up to version 1.4.111 by an authorization bypass. An authenticated user with subscriber-level access can mark or unmark another user’s car listing as Sold by replaying a valid nonce from their own listing against a...

4.3CVSS5.9AI score0.00232EPSS
Exploits0References8
Cvelist
Cvelist
added 2026/07/01 7:53 a.m.37 views

CVE-2026-12435 Motors <= 1.4.111 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Modification via 'stm_mark_as_sold_car' Parameter

The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.111. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

4.3CVSS0.00232EPSS
Exploits0References8
Cvelist
Cvelist
added 2026/06/16 4:30 a.m.33 views

CVE-2026-9187 Abandoned Contact Form 7 <= 2.2 - Missing Authorization to Unauthenticated Arbitrary Post Deletion via 'recover_id' Parameter

The Abandoned Contact Form 7 plugin for WordPress is vulnerable to unauthorized arbitrary post deletion in versions up to, and including, 2.2. This is due to a missing capability check and missing nonce validation in the actionremoveabandoned function, which is registered to both the...

5.3CVSS0.00228EPSS
Exploits0References4
CVE
CVE
added 2026/06/16 4:30 a.m.13 views

CVE-2026-9187

The Abandoned Contact Form 7 plugin for WordPress (

5.3CVSS5.5AI score0.00228EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.17 views

PT-2026-49620

Name of the Vulnerable Software and Affected Versions Abandoned Contact Form 7 versions prior to 2.3 Description The plugin allows unauthenticated attackers to permanently delete arbitrary posts, pages, or other content on a site. This occurs because the action remove abandoned function, register...

5.3CVSS6AI score0.00228EPSS
Exploits0References7
Vulnrichment
Vulnrichment
added 2026/06/12 6:22 p.m.13 views

CVE-2026-10715 Camaleon CMS 2.9.2 - Improper authorization in draft autosave endpoint

Camaleon CMS 2.9.2 contains an improper authorization vulnerability in the administrator draft autosave endpoint. A low-privileged authenticated user can send an arbitrary postid to POST /admin/posttype//drafts and overwrite the draft associated with another user's post...

5.1CVSS5.5AI score0.00215EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.18 views

PT-2026-48948

Name of the Vulnerable Software and Affected Versions Camaleon CMS version 2.9.2 Description Improper authorization in the administrator draft autosave endpoint allows a low-privileged authenticated user to overwrite a draft associated with another user's post. This is achieved by sending an...

5.1CVSS5.3AI score0.00215EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/06/05 7:28 p.m.10 views

CVE-2026-4812

The Advanced Custom Fields ACF plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Post/Page Disclosure in versions up to and including 6.7.0. This is due to AJAX field query endpoints accepting user-supplied filter parameters that override field-configured restrictions witho...

5.3CVSS5.4AI score0.00625EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:28 p.m.11 views

CVE-2026-4301

The Rate Star Review Vote - AJAX Reviews, Votes, Star Ratings plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.6.4. The vwrsrreview AJAX handler lacks both capability checks and nonce verification. The only access control is an isuserloggedin check...

4.3CVSS5.5AI score0.00271EPSS
Exploits0References1
GithubExploit
GithubExploit
added 2026/05/28 1:56 p.m.113 views

Exploit for CVE-2026-8380

CVE-2026-8380 CVE-2026-8380 — Frontend File Manager = 23.6...

6AI score0.00342EPSS
Exploits1
Patchstack
Patchstack
added 2026/05/14 10:46 a.m.13 views

WordPress InfusedWoo Pro plugin <= 5.1.2 - Unauthenticated Missing Authorization to Arbitrary Post Deletion vulnerability

Unauthenticated Missing Authorization to Arbitrary Post Deletion vulnerability discovered by Osvaldo Noe Gonzalez Del Rio Os - krei.dev | ogbuilders.io in WordPress Plugin InfusedWoo Pro versions = 5.1.2...

9.1CVSS5.8AI score0.00264EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2026/05/14 8:24 a.m.23 views

CVE-2026-6512

The CVE-2026-6512 entry concerns InfusedWoo Pro for WordPress, vulnerable to an authorization bypass in all versions up to 5.1.2. The issue arises from improper verification of user authorization, enabling unauthenticated attackers to permanently delete arbitrary posts, pages, products, or orders...

9.1CVSS5.9AI score0.00264EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/14 8:24 a.m.11 views

CVE-2026-6512 InfusedWoo Pro <= 5.1.2 - Unauthenticated Missing Authorization to Arbitrary Post Deletion via Multiple Parameters

The InfusedWoo Pro plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to permanently delete...

9.1CVSS5.9AI score0.00264EPSS
Exploits0References2
CVE
CVE
added 2026/05/13 4:26 a.m.30 views

CVE-2026-7051

The CVE-2026-7051 entry concerns the Blog2Social WordPress plugin (versions up to 8.9.0) with a Missing Authorization issue. The root cause is missing blog_user_id constraints in B2S_Post_Tools::deleteUserPublishPost() and deleteUserSchedPost(), allowing an authenticated subscriber+ to delete oth...

5.4CVSS5.9AI score0.00409EPSS
Exploits0References14
Rows per page
Query Builder