CVE-2025-12820

The CVE CVE-2025-12820 affects the Pure WC Variation Swatches WordPress plugin (versions up to 1.1.7). The issue is an absence of an authorization check when updating plugin settings, which could allow any authenticated user to modify settings. Connected sources consistently describe it as an Una...

CVE-2025-12361 myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program <= 2.9.7.1 - Missing Authorization to Sensitive Information Exposure

The myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.9.7.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This...

CVE-2025-14618 Sweet Energy Efficiency <= 1.0.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Graph Deletion

The Sweet Energy Efficiency plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on the 'sweetenergyefficiencyaction' AJAX handler in all versions up to, and including, 1.0.6. This makes it possible for authenticated attackers...

WordPress plugin IDonatePro 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security...

CVE-2025-11369 Essential Blocks <= 5.7.2 - Missing Authorization To Authenticated (Author+) Information Disclosure

The Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin for WordPress is vulnerable to unauthorized access of data due to a missing or incorrect capability checks on the getinstagramaccesstokencallback, googlemapapikeysavecallback and getsiteinfo functions in all...

EUVD-2025-203574

Missing Authorization vulnerability in merkulove Grider for Elementor grider-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Grider for Elementor: from n/a through = 1.0.8...

EUVD-2025-203602

Missing Authorization vulnerability in emarket-design Request a Quote request-a-quote allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Request a Quote: from n/a through = 2.5.3...

CVE-2025-66120 WordPress CatFolders plugin <= 2.5.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in CatFolders CatFolders catfolders allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CatFolders: from n/a through = 2.5.3...

CVE-2025-64632 WordPress Google XML Sitemaps plugin <= 4.1.22 - Broken Access Control vulnerability

Missing Authorization vulnerability in Auctollo Google XML Sitemaps google-sitemap-generator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Google XML Sitemaps: from n/a through = 4.1.22...

CVE-2025-64243 WordPress Directory Pro plugin <= 2.5.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in e-plugins Directory Pro directory-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Directory Pro: from n/a through = 2.5.6...

CVE-2025-54004

CVE-2025-14998 (Branda – White Label & Branding, Free Login Page Customizer) is a confirmed WordPress vulnerability with unauthenticated privilege escalation via account takeover. Wordfence coverage notes a critical flaw (CVSS 9.8) affecting Branda versions

PT-2025-51386

Name of the Vulnerable Software and Affected Versions NicolasKulka WPS Bidouille versions through 1.33.1 Description An authorization issue exists in NicolasKulka WPS Bidouille wps-bidouille, allowing exploitation of incorrectly configured access control security levels. Recommendations Update to...

CVE-2025-12696 HelloLeads CRM Form Shortcode <= 1.0 - Unauthenticated Settings Reset

The HelloLeads CRM Form Shortcode WordPress plugin through 1.0 does not have authorisation and CSRF check when resetting its settings, allowing unauthenticated users to reset them...

CVE-2025-12696 HelloLeads CRM Form Shortcode <= 1.0 - Unauthenticated Settings Reset

The HelloLeads CRM Form Shortcode WordPress plugin through 1.0 does not have authorisation and CSRF check when resetting its settings, allowing unauthenticated users to reset them...

CVE-2025-13403

The Employee Spotlight – Team Member Showcase & Meet the Team Plugin for WordPress is vulnerable to unauthorized tracking settings modification due to missing authorization validation on the employeespotlightcheckoptin function in all versions up to, and including, 5.1.3. This makes it possible f...

WordPress plugin Easy Theme Options 安全漏洞

...

CVE-2025-10684

The Construction Light WordPress theme before 1.6.8 does not have authorisation and CSRF when activating via an AJAX action, allowing any authenticated users, such as subscriber to activate arbitrary...

CVE-2025-12783 Premmerce Brands for WooCommerce <= 1.2.13 - Missing Authorization To Authenticated (Subscriber+) Brand Permalink Settings Update

The Premmerce Brands for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the saveBrandsSettings function in all versions up to, and including, 1.2.13. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2025-13866

CVE-2025-13866 : The Flow-Flow Social Feed Stream WordPress plugin (versions 3.0.0–4.7.5) is vulnerable to unauthorized modification of data due to a missing capability check on the flow_flow_social_auth AJAX action. Authenticated attackers with Subscriber level access or higher can modify plugin...

PT-2025-50885

Name of the Vulnerable Software and Affected Versions Construction Light WordPress theme versions prior to 1.6.8 Description The Construction Light WordPress theme lacks proper authorization and Cross-Site Request Forgery CSRF protection when activated through an AJAX action. This allows any...