CVE-2026-3488

The WP Statistics plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14.16.4. This is due to missing capability checks on multiple AJAX handlers including wpstatisticsgetfilters, wpstatisticsgetPrivacyStatus, wpstatisticsupdatePrivacyStatus, and...

PT-2026-33415

Name of the Vulnerable Software and Affected Versions Canto plugin for WordPress versions prior to 3.1.2 Description Missing authorization occurs due to the absence of capability checks or nonce verification in the updateOptions function. This function is exposed via two AJAX hooks: 'wp ajax...

WordPress plugin WP Statistics 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

PT-2026-33392

The WP Statistics plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14.16.4. This is due to missing capability checks on multiple AJAX handlers including wp statistics get filters, wp statistics getPrivacyStatus, wp statistics updatePrivacyStatus, a...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007380)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007380 advisory. In the Linux kernel, the following vulnerability has been resolved: ARM: 9317/1: kexec: Make smp stop calls asynchronous If a panic is triggered by a hrtimer interru...

CVE-2026-3642

The e-shot™ form builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.2. The eshotformbuilderupdatefielddata AJAX handler lacks any capability checks currentusercan or nonce verification checkajaxreferer/wpverifynonce. The function is...

EUVD-2026-23237

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference via the 'submissionid' parameter in versions up to, and including, 6.1.21. This is due to missing authorization and ownership validatio...

CVE-2026-4160

The CVE-2026-4160 entry concerns the WordPress Fluent Forms plugin (versions up to 6.1.21). Affected component: Stripe SCA confirmation AJAX endpoint handling a submission_id parameter. Root cause: missing authorization and ownership validation on a user-controlled key enables Insecure Direct Obj...

CVE-2026-1572

The Livemesh Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data and Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 9.0. This is due to missing authorization checks on the AJAX handler laeadminajax and insufficient...

PT-2026-33267

Name of the Vulnerable Software and Affected Versions AcyMailing versions 9.11.0 through 10.8.1 Description A missing capability check on the 'wp ajax acymailing router' AJAX handler allows authenticated attackers with Subscriber-level access or higher to access admin-only controllers, including...

CVE-2026-3642

The e-shot™ form builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.2. The eshotformbuilderupdatefielddata AJAX handler lacks any capability checks currentusercan or nonce verification checkajaxreferer/wpverifynonce. The function is...

CVE-2026-3649 Katalogportal-pdf-sync Widget <= 1.0.0 - Missing Authorization to Authenticated (Subscriber+) Information Disclosure via 'katalogportal_shortcodePrinter' AJAX Action

The Katalogportal PDF Sync plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.0. The katalogportalpopupshortcode function is registered as an AJAX handler via wpajaxkatalogportalshortcodePrinter but lacks any capability check currentusercan or nonc...

CVE-2026-3642

The e-shot™ form builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.2. The eshotformbuilderupdatefielddata AJAX handler lacks any capability checks currentusercan or nonce verification checkajaxreferer/wpverifynonce. The function is...

CVE-2026-3642 e-shot <= 1.0.2 - Missing Authorization to Authenticated (Subscriber+) Form Settings Modification via AJAX

The e-shot™ form builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.2. The eshotformbuilderupdatefielddata AJAX handler lacks any capability checks currentusercan or nonce verification checkajaxreferer/wpverifynonce. The function is...

CVE-2026-4002

CVE-2026-4002 affects the Petje.af WordPress plugin (versions

WordPress e-shot plugin <= 1.0.2 - Missing Authorization to Authenticated (Subscriber+) Form Settings Modification via AJAX vulnerability

Missing Authorization to Authenticated Subscriber+ Form Settings Modification via AJAX vulnerability discovered by Poli - CMC Global in WordPress Plugin e-shot versions = 1.0.2...

CVE-2026-4365

The LearnPress plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the deletequestionanswer function in all versions up to, and including, 4.3.2.8. The plugin exposes a wprest nonce in public frontend HTML lpData to unauthenticated visitors, and...

com.akamai.edgegrid:edgegrid-signer-async-http-client (>=6.0.1 <=6.0.3-rc.1), com.arpnetworking.metrics:mad-experimental (>=1.2.4 <=1.2.11) +66 more potentially affected by CVE-2026-40490 via org.asynchttpclient:async-http-client (>=3.0.0.Beta1 <=3.0.7)

org.asynchttpclient:async-http-client MAVEN version =3.0.0.Beta1, =6.0.1, =1.2.4, =1.22.5, =1.13.8, =1.1.0, =0.4.8, =0.4.8, =0.4.8, =1.17.0, =1.17.0, =1.17.0, =0.5.0, =2.7.3, =218.0.0, =14.5.0, =16.0.0 and more Source cves: CVE-2026-40490 Source advisory: SNYK:JAVA-ORGASYNCHTTPCLIENT-16032254...

ai.evolv:ascend-sdk (=0.5.0), app.peac:core (=0.0.1) +2567 more potentially affected by CVE-2026-40490 via org.asynchttpclient:async-http-client (>=2.0.0-RC1 <=2.12.4)

org.asynchttpclient:async-http-client MAVEN version =2.0.0-RC1, =0.7.0, =0.7.0, =0.1.0, =0.2.0, =0.7.0, =0.7.0, =0.1.0, =0.2.0, =0.1.0, =0.2.0, =2.2, =2.0, =2.0-RC2 and more Source cves: CVE-2026-40490 Source advisory: SNYK:JAVA-ORGASYNCHTTPCLIENT-16032254...

Origin Validation Error

Overview org.asynchttpclient:async-http-client is a maven plugin for the Async Http Client AHC classes. Affected versions of this package are vulnerable to Origin Validation Error in the Redirect30xInterceptor class. An attacker in control of a cross-origin redirect target via a different exploit...