Lucene search
K

8 matches found

CVE
CVE
added 5 hours ago8 views

CVE-2026-12988

CVE-2026-12988 affects the WP 2FA WordPress plugin prior to 3.1.1.2. The root cause is that the plugin does not verify that the email address used during the two-factor authentication setup belongs to the user. As a result, an attacker who has a user’s credentials can redirect the setup verificat...

6.1AI score
Exploits0References1
EUVD
EUVD
added 5 hours ago4 views

EUVD-2026-43628

The WP 2FA WordPress plugin before 3.1.1.2 does not verify that the email address supplied during two-factor authentication setup belongs to the user, allowing an attacker who has obtained a user's credentials to redirect the setup verification code to an attacker-controlled email address and tak...

6.1AI score
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:32 p.m.12 views

CVE-2026-6214

The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.53.0. This is due to the listenforsavingexportschedule function in library/class-export.php failing to perform a capability check before saving the scheduled export configuration,...

6.5CVSS5.4AI score0.00438EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/14 6:32 p.m.47 views

CVE-2025-64526 Strapi has a rate limit bypass on users-permissions plugin via attacker-controlled email keying

Strapi is an open source headless content management system. In Strapi versions prior to 5.45.0, the rate-limit middleware in the users-permissions plugin derived its rate-limit key in part from ctx.request.body.email, including on routes whose body schema does not contain an email field...

6.9CVSS0.00492EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/05/14 6:32 p.m.10 views

CVE-2025-64526 Strapi has a rate limit bypass on users-permissions plugin via attacker-controlled email keying

Strapi is an open source headless content management system. In Strapi versions prior to 5.45.0, the rate-limit middleware in the users-permissions plugin derived its rate-limit key in part from ctx.request.body.email, including on routes whose body schema does not contain an email field...

6.9CVSS6AI score0.00492EPSS
Exploits0References4
CVE
CVE
added 2026/05/14 6:32 p.m.44 views

CVE-2025-64526

CVE-2025-64526 (Strapi) affects the @strapi/plugin-users-permissions rate-limiting key construction. In Strapi versions prior to 5.45.0, the rate-limit middleware used the request body’s email field as part of the rate-limit key (userIdentifier = ctx.request.body.email), even on routes where the ...

6.9CVSS6AI score0.00492EPSS
Exploits0References4Affected Software1
RedhatCVE
RedhatCVE
added 2026/01/09 12:31 p.m.7 views

CVE-2023-40260

EmpowerID before 7.205.0.1 allows an attacker to bypass an MFA multi factor authentication requirement if the first factor username and password is known, because the first factor is sufficient to change an account's email address, and the product would then send MFA codes to the new email addres...

9.1CVSS7AI score0.00526EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2021/12/17 5:15 p.m.3 views

CVE-2021-37862

Mattermost 6.0 and earlier fails to sufficiently validate the email address during registration, which allows attackers to trick users into signing up using attacker-controlled email addresses via crafted invitation token...

5.8CVSS5.9AI score0.00667EPSS
Exploits0References3
Rows per page
Query Builder