CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

NVD•added 10 hours ago•4 views

CVE-2026-8614

The Assistio plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and missing nonce verification on the assistioplugindeleteassistiosettings function in versions up to, and including, 1.1.2. This makes it possible for authenticated attackers,...

4.3CVSS

Exploits0References3

NVD•added 10 hours ago•4 views

CVE-2026-12094

The Advanced Contact Form 7 - Compact DB plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the cf7cdbajaxdeleteuser function in versions up to, and including, 1.0.0. The handler is registered against both wpajaxcf7cdbdelete and...

5.3CVSS

Exploits0References4

EUVD•added 12 hours ago•4 views

EUVD-2026-38674

The SearchPlus plugin for WordPress is vulnerable to unauthorized modification and deletion of data in versions up to, and including, 1.7.1. This is due to a missing capability check and missing nonce validation on the searchplussavetokenactioncallback and searchplusresettokenactioncallback...

5.3CVSS5.9AI score

EUVD•added 12 hours ago•4 views

EUVD-2026-38676

The MP Customize Login Page plugin for WordPress is vulnerable to Cross-Site Request Forgery CSRF in all versions up to and including 1.0. This is due to a completely broken nonce validation in the entermpclploginoptions function, which contains an inverted check if wpverifynonce... return false;...

4.3CVSS5.8AI score

EUVD•added 12 hours ago•5 views

EUVD-2026-38673

4.3CVSS5.9AI score

EUVD•added 12 hours ago•4 views

EUVD-2026-38668

4.3CVSS5.9AI score

Exploits0References3

CVE•added 12 hours ago•5 views

CVE-2026-12094

The CVE describes a vulnerability in the Advanced Contact Form 7 - Compact DB plugin for WordPress (versions delete() on the wp_cf7cdb_data table, using an attacker-supplied integer ID. This allows unauthenticated attackers to delete arbitrary contact form submission entries by enumerating primar...

5.3CVSS6AI score

Exploits0References4

Nuclei•added yesterday•17 views

Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit - Broken Access Control

The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the installoractivateaddonplugins function and a weak nonce hash in all...

9.8CVSS5.9AI score0.02904EPSS

Exploits0References3

NVD•added 2026/06/16 10:16 a.m.•8 views

CVE-2026-2381

The WooCommerce Stripe Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxpayfororder function in all versions up to, and including, 10.7.0 This is due to a missing order ownership or orderkey verification when...

6.5CVSS0.00267EPSS

CVE•added 2026/06/16 5:33 a.m.•11 views

CVE-2026-5149

The RTMKit plugin for WordPress is vulnerable to Incorrect Authorization up to version 2.0.7 due to get_submission_content lacking a capability check, enabling authenticated attackers with Contributor-level access to view arbitrary form submissions by iterating the entries_id parameter. Affected:...

6.5CVSS5.5AI score0.00238EPSS

Cvelist•added 2026/06/16 5:33 a.m.•28 views

CVE-2026-5149 RTMKit <= 2.0.7 - Authenticated (Contributor+) Missing Authorization to Arbitrary Form Submission Access via 'entries_id' Parameter

The RTMKit plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.7 This is due to the getsubmissioncontent AJAX endpoint lacking a capability check to verify that a user has permission to access the requested form submission data. This makes it...

6.5CVSS0.00238EPSS

Positive Technologies•added 2026/06/16 12:0 a.m.•9 views

PT-2026-49620

The Abandoned Contact Form 7 plugin for WordPress is vulnerable to unauthorized arbitrary post deletion in versions up to, and including, 2.2. This is due to a missing capability check and missing nonce validation in the action remove abandoned function, which is registered to both the wp ajax...

5.3CVSS5.5AI score0.00228EPSS

Positive Technologies•added 2026/06/16 12:0 a.m.•11 views

PT-2026-49613

The RTMKit plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.7 This is due to the get submission content AJAX endpoint lacking a capability check to verify that a user has permission to access the requested form submission data. This makes it...

6.5CVSS5.5AI score0.00238EPSS

Cvelist•added 2026/06/13 8:29 a.m.•29 views

CVE-2026-1291 Meow Gallery <= 5.4.4 - Missing Authorization to Authenticated (Author+) Shortcode creation

The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/saveshortcode in all versions up to, and including, 5.4.4 This makes it possible for authenticated attackers, with...

4.3CVSS0.00214EPSS

RedhatCVE•added 2026/06/10 3:0 p.m.•7 views

CVE-2026-4058

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the usersubscriptioncancel function in all versions up to, and including, 4.3.2. Thi...

4.3CVSS5.5AI score0.00153EPSS

Exploits0References1

NVD•added 2026/06/09 10:16 a.m.•11 views

CVE-2026-4058

4.3CVSS0.00153EPSS

EUVD•added 2026/06/09 9:28 a.m.•12 views

EUVD-2026-35388

4.3CVSS5.5AI score0.00153EPSS

Vulnrichment•added 2026/06/09 9:28 a.m.•8 views

CVE-2026-4058 User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.3.2 - Missing Authorization to Authenticated (Subscriber+) Subscription Pack Cancellation

4.3CVSS5.5AI score0.00153EPSS

Cvelist•added 2026/06/09 9:28 a.m.•37 views

4.3CVSS0.00153EPSS