Lucene search
K

52 matches found

Cvelist
Cvelist
added 2026/05/29 2:29 p.m.48 views

CVE-2026-4290 WP Travel Pro <= 10.6.0 - Missing Authorization to Unauthenticated Arbitrary User Deletion Including Administrators

The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the /wp-json/wp-travel/v1/travel-guide/userid REST API endpoint in all versions up to, and including, 10.6.0. This is due to the checkpermission callback unconditionally returning true and the Database::delete...

9.1CVSS0.00258EPSS
Exploits0References2
CVE
CVE
added 2026/05/29 2:29 p.m.22 views

CVE-2026-4290

The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the REST endpoint /wp-json/wp-travel/v1/travel-guide/{user_id} in all versions up to 10.6.0. The root cause is a check_permission() callback that unconditionally returns true and a Database::delete() call that pas...

9.1CVSS5.9AI score0.00258EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/29 12:0 a.m.14 views

PT-2026-44859

Name of the Vulnerable Software and Affected Versions WP Travel Pro versions prior to 10.6.1 Description The plugin allows unauthenticated attackers to delete arbitrary user accounts, including administrators. This occurs via the '/wp-json/wp-travel/v1/travel-guide/user id' REST API endpoint...

9.1CVSS5.9AI score0.00258EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/05/02 1:26 p.m.30 views

CVE-2026-2554 WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible <= 6.7.25 - Authenticated (Vendor+) Insecure Direct Object Reference to Arbitrary User Deletion

The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via the 'wcfmdeletewcfmcustomer' due to missing validation on the 'customerid' user...

8.1CVSS0.00328EPSS
Exploits0References3
Patchstack
Patchstack
added 2026/04/16 12:34 a.m.6 views

WordPress Riaxe Product Customizer plugin <= 2.1.2 - Unauthenticated Arbitrary User Deletion via 'user_id' Parameter vulnerability

Unauthenticated Arbitrary User Deletion via 'userid' Parameter vulnerability discovered by Kai Aizen in WordPress Plugin Riaxe Product Customizer versions = 2.1.2...

5.3CVSS5.8AI score0.00441EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/08 6:43 a.m.3 views

CVE-2026-3477 PZ Frontend Manager <= 1.0.6 - Missing Authorization to Arbitrary User Deletion via 'dataType' Parameter

The PZ Frontend Manager plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.6. The pzfmuserrequestactioncallback function, registered via the wpajaxpzfmuserrequestaction action hook, lacks both capability checks and nonce verification. This function...

5.3CVSS6AI score0.00319EPSS
Exploits0References7
Patchstack
Patchstack
added 2026/04/08 2:4 a.m.6 views

WordPress PZ Frontend Manager plugin <= 1.0.6 - Missing Authorization to Arbitrary User Deletion via 'dataType' Parameter vulnerability

Missing Authorization to Arbitrary User Deletion via 'dataType' Parameter vulnerability discovered by theviper17y in WordPress Plugin pz-frontend-manager versions = 1.0.6...

5.3CVSS5.9AI score0.00319EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2026/02/15 3:29 p.m.17 views

CVE-2026-26367

Affected product : eNet SMART HOME server versions 2.2.1 and 2.3.1. Vulnerability : missing authorization in the deleteUserAccount JSON-RPC method, allowing any authenticated low-privilege user (UG_USER) to delete arbitrary user accounts (excluding built-in admin). Impact : potential for unauthor...

8.1CVSS5.8AI score0.00373EPSS
Exploits2References2Affected Software1
Zero Science Lab
Zero Science Lab
added 2026/02/14 12:0 a.m.115 views

eNet SMART HOME server 2.3.1 (deleteUserAccount) Arbitrary User Deletion

Summary Two German specialists in building systems technology are jointly bringing a new, wireless-based smart home system to the market. Gira and JUNG are the companies behind the eNet SMART HOME brand with our subsidiary, INSTA, responsible for developing the system. All three of us are old han...

8.1CVSS6AI score0.00373EPSS
Exploits2
RedhatCVE
RedhatCVE
added 2026/01/07 9:17 a.m.18 views

CVE-2025-1668

The School Management System – WPSchoolPress plugin for WordPress is vulnerable to arbitrary user deletion due to a missing capability check on the wpspDeleteUser function in all versions up to, and including, 2.2.16. This makes it possible for authenticated attackers, with teacher-level access a...

5.4CVSS6.6AI score0.00281EPSS
Exploits0References1
Patchstack
Patchstack
added 2025/12/31 12:0 a.m.7 views

WordPress MelaPress Login Security plugin 2.1.0 - Missing Authorization to Unauthenticated Arbitrary User Deletion vulnerability

Missing Authorization to Unauthenticated Arbitrary User Deletion vulnerability discovered by Michelle Porter - Wordfence in WordPress Plugin MelaPress Login Security versions 2.1.0...

8.2CVSS5.9AI score0.0033EPSS
Exploits0References1Affected Software1
Patchstack
Patchstack
added 2025/12/31 12:0 a.m.7 views

WordPress MelaPress Login Security Premium plugin 2.1.0 - Missing Authorization to Unauthenticated Arbitrary User Deletion vulnerability

Missing Authorization to Unauthenticated Arbitrary User Deletion vulnerability discovered by Michelle Porter - Wordfence in WordPress Plugin MelaPress Login Security Premium versions 2.1.0...

8.2CVSS5.9AI score0.0033EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2025/11/07 4:28 a.m.8 views

CVE-2025-4522 IDonate 2.0.0 - 2.1.9 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Deletion via admin_post_donor_delete Function

The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Insecure Direct Object Reference via the adminpostdonordelete function in versions 2.0.0 to 2.1.9. By supplying an arbitrary userid parameter value to the wpdeleteuser function, authenticated...

6.5CVSS0.00227EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2025/11/07 4:28 a.m.4 views

CVE-2025-4522 IDonate 2.0.0 - 2.1.9 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Deletion via admin_post_donor_delete Function

The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Insecure Direct Object Reference via the adminpostdonordelete function in versions 2.0.0 to 2.1.9. By supplying an arbitrary userid parameter value to the wpdeleteuser function, authenticated...

6.5CVSS6.2AI score0.00227EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2025/10/27 6:0 a.m.4 views

CVE-2025-11154 IDonate < 2.1.13 - Unauthenticated User Deletion

The IDonate WordPress plugin before 2.1.13 does not have authorisation and CSRF when deleting users via an action handler, allowing unauthenticated attackers to delete arbitrary users...

6.5AI score0.0013EPSS
Exploits1References1
EUVD
EUVD
added 2025/10/07 12:30 a.m.5 views

EUVD-2018-11504

Malware in sbrugna...

6.5CVSS6.5AI score0.01915EPSS
Exploits5References4
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2024-36822

Malicious code in bioql PyPI...

9.1CVSS6.6AI score0.00572EPSS
Exploits1References1
Cvelist
Cvelist
added 2025/07/04 1:44 a.m.12 views

CVE-2025-5956 WP Human Resource Management 2.0.0 - 2.2.17 - Missing Authorization to Authenticated (Employee+) Arbitrary User Deletion via ajax_delete_employee Function

The WP Human Resource Management plugin for WordPress is vulnerable to Arbitrary User Deletion due to a missing authorization within the ajaxdeleteemployee function in versions 2.0.0 through 2.2.17. The plugin’s deletion handler reads the client-supplied $POST'delete' array and passes each ID...

6.5CVSS0.00293EPSS
Exploits0References3
Cvelist
Cvelist
added 2025/06/17 3:1 p.m.22 views

CVE-2025-49234 WordPress WP Dummy Content Generator plugin <= 3.4.6 - Arbitrary User Deletion vulnerability

Missing Authorization vulnerability in Deepak anand WP Dummy Content Generator wp-dummy-content-generator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Dummy Content Generator: from n/a through = 3.4.6...

6.5CVSS0.0033EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/22 7:26 a.m.11 views

CVE-2018-11127

e107 2.1.7 has CSRF resulting in arbitrary user deletion...

6.5CVSS7.1AI score0.0053EPSS
Exploits0References1
Rows per page
Query Builder