Lucene search
K

560 matches found

NVD
NVD
added 2026/02/28 10:16 p.m.12 views

CVE-2026-28556

wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to move, merge, or split any forum topic via the topicmove, topicmerge, and topicsplit form action handlers. Attackers with a valid form nonce can reorganize arbitrary forum content without...

5.4CVSS0.0022EPSS
Exploits0References3
OSV
OSV
added 2026/02/28 10:16 p.m.6 views

CVE-2026-28554

wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to approve or unapprove any forum post via the wpforoapproveajax AJAX handler. Attackers exploit the nonce-only check by submitting a valid nonce with an arbitrary post ID to bypass moderation...

4.3CVSS5.9AI score0.00268EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/02/28 9:47 p.m.6 views

CVE-2026-28558 wpForo Forum 2.4.14 Stored XSS via SVG Avatar File Upload

wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows authenticated subscribers to upload SVG files as profile avatars through the avatar upload functionality. Attackers upload a crafted SVG containing CSS injection or JavaScript event handlers that execute in the...

6.4CVSS5.8AI score0.00208EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/02/28 9:47 p.m.4 views

CVE-2026-28558

wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows authenticated subscribers to upload SVG files as profile avatars through the avatar upload functionality. Attackers upload a crafted SVG containing CSS injection or JavaScript event handlers that execute in the...

6.4CVSS5.8AI score0.00208EPSS
Exploits0References4Affected Software1
Vulnrichment
Vulnrichment
added 2026/02/28 9:47 p.m.3 views

CVE-2026-28556 wpForo Forum 2.4.14 Missing Authorization via Topic Management Form Handlers

wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to move, merge, or split any forum topic via the topicmove, topicmerge, and topicsplit form action handlers. Attackers with a valid form nonce can reorganize arbitrary forum content without...

5.4CVSS5.9AI score0.0022EPSS
Exploits0References3
CVE
CVE
added 2026/02/28 9:47 p.m.20 views

CVE-2026-28555

wpForo Forum 2.4.14 has a missing authorization vulnerability preventing proper access control on the wpforo_close_ajax handler. An authenticated subscriber can close or reopen any forum topic by submitting a valid nonce and an arbitrary topic ID, bypassing moderator permissions and potentially d...

5.3CVSS6AI score0.00268EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/02/28 9:47 p.m.5 views

CVE-2026-28555

wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to close or reopen any forum topic via the wpforocloseajax handler. Attackers submit a valid nonce with an arbitrary topic ID to bypass the moderator permission requirement and disrupt forum...

5.3CVSS6AI score0.00268EPSS
Exploits0References4Affected Software1
Vulnrichment
Vulnrichment
added 2026/02/28 9:47 p.m.4 views

CVE-2026-28555 wpForo Forum 2.4.14 Missing Authorization via Topic Close AJAX Handler

wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to close or reopen any forum topic via the wpforocloseajax handler. Attackers submit a valid nonce with an arbitrary topic ID to bypass the moderator permission requirement and disrupt forum...

5.3CVSS5.9AI score0.00268EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/02/28 9:47 p.m.4 views

CVE-2026-28554

wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to approve or unapprove any forum post via the wpforoapproveajax AJAX handler. Attackers exploit the nonce-only check by submitting a valid nonce with an arbitrary post ID to bypass moderation...

5.3CVSS6AI score0.00268EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2026/02/28 9:47 p.m.19 views

CVE-2026-28554

CVE-2026-28554 affects wpForo Forum 2.4.14 and is due to a missing authorization vulnerability in the wpforo_approve_ajax handler. The nonce-only check allows authenticated subscribers to approve or unapprove any forum post by submitting a valid nonce with an arbitrary post ID, bypassing moderati...

5.3CVSS6AI score0.00268EPSS
Exploits0References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/02/28 9:47 p.m.4 views

CVE-2026-28554 wpForo Forum 2.4.14 Missing Authorization via Post Approval AJAX Handler

wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to approve or unapprove any forum post via the wpforoapproveajax AJAX handler. Attackers exploit the nonce-only check by submitting a valid nonce with an arbitrary post ID to bypass moderation...

5.3CVSS6AI score0.00268EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/02/28 12:0 a.m.7 views

WordPress plugin wpForo Forum 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

5.3CVSS5.8AI score0.00268EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/02/28 12:0 a.m.10 views

WordPress plugin wpForo Forum 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

5.4CVSS5.8AI score0.0022EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/02/28 12:0 a.m.13 views

PT-2026-22477

Name of the Vulnerable Software and Affected Versions wpForo Forum version 2.4.14 Description An issue exists in wpForo Forum that allows authenticated subscribers to perform actions typically reserved for moderators. Specifically, attackers can move, merge, or split any forum topic using the top...

5.4CVSS5.9AI score0.0022EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/02/28 12:0 a.m.13 views

PT-2026-22475

Name of the Vulnerable Software and Affected Versions wpForo Forum version 2.4.14 Description The software contains a flaw due to missing authorization checks. An authenticated subscriber can approve or unapprove any forum post by exploiting the wpforo approve ajax AJAX handler. The check relies...

5.3CVSS6AI score0.00268EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/02/26 4:36 a.m.5 views

CVE-2026-1311

The Worry Proof Backup plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 0.2.4 via the backup upload functionality. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload a malicious ZIP archive with path...

8.8CVSS6.1AI score0.00734EPSS
Exploits1References4
Vulnrichment
Vulnrichment
added 2026/02/26 4:36 a.m.6 views

CVE-2026-1311 Worry Proof Backup <= 0.2.4 - Authenticated (Subscriber+) Path Traversal via Backup Upload

The Worry Proof Backup plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 0.2.4 via the backup upload functionality. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload a malicious ZIP archive with path...

8.8CVSS6.1AI score0.00734EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/02/26 12:0 a.m.7 views

PT-2026-22121

Name of the Vulnerable Software and Affected Versions Worry Proof Backup versions up to and including 0.2.4 Description The Worry Proof Backup plugin for WordPress is susceptible to a path traversal issue in all versions up to and including 0.2.4 through the backup upload functionality...

8.8CVSS6.5AI score0.00734EPSS
Exploits1References11
Patchstack
Patchstack
added 2026/02/24 11:35 p.m.8 views

WordPress WP Recipe Maker plugin <= 10.2.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure vulnerability

Missing Authorization to Authenticated Subscriber+ Sensitive Information Exposure vulnerability discovered by Abhinav Jaswal wrathexe - Self employed in WordPress Plugin WP Recipe Maker versions = 10.2.3...

4.3CVSS5.4AI score0.00222EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/02/19 4:36 a.m.32 views

CVE-2026-0974 Orderable <= 1.20.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation

The Orderable – WordPress Restaurant Online Ordering System and Food Ordering Plugin plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the 'installplugin' function in all versions up to, and including, 1.20.0. This makes it possible for...

8.8CVSS0.00605EPSS
Exploits0References3
Rows per page
Query Builder