9655 matches found
CVE-2026-2608
The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.5.32. This makes it possible for authenticated attackers, with Contributor-level access...
CVE-2026-1942
CVE-2026-1942 affects Blog2Social: Social Media Auto Post & Scheduler for WordPress (versions up to 8.7.4). The root cause is a missing capability check in the b2s_curation_draft AJAX action: the curationDraft() function only verifies current_user_can('read') and does not require edit_post permis...
CVE-2026-1942 Blog2Social: Social Media Auto Post & Scheduler <= 8.7.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Modification
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the b2scurationdraft AJAX action in all versions up to, and including, 8.7.4. The curationDraft function only verifies...
CVE-2026-1942
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the b2scurationdraft AJAX action in all versions up to, and including, 8.7.4. The curationDraft function only verifies...
CVE-2026-2127
The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to unauthorized arbitrary shortcode execution in all versions up to, and including, 1.70.4. This is due to a missing capability check on the siteoriginwidgetpreviewwidgetaction function which is registered via the...
CVE-2026-2127 SiteOrigin Widgets Bundle <= 1.70.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution
The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to unauthorized arbitrary shortcode execution in all versions up to, and including, 1.70.4. This is due to a missing capability check on the siteoriginwidgetpreviewwidgetaction function which is registered via the...
CVE-2026-2127
The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to unauthorized arbitrary shortcode execution in all versions up to, and including, 1.70.4. This is due to a missing capability check on the siteoriginwidgetpreviewwidgetaction function which is registered via the...
CVE-2026-2127 SiteOrigin Widgets Bundle <= 1.70.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution
The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to unauthorized arbitrary shortcode execution in all versions up to, and including, 1.70.4. This is due to a missing capability check on the siteoriginwidgetpreviewwidgetaction function which is registered via the...
CVE-2026-1831
The YayMail - WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized plugin installation and activation due to missing capability checks on the 'yaymailinstallyaysmtp' AJAX action and /yaymail/v1/addons/activate REST endpoint in all versions up to, and including, 4.3.2...
CVE-2026-1831
The YayMail - WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized plugin installation and activation due to missing capability checks on the 'yaymailinstallyaysmtp' AJAX action and /yaymail/v1/addons/activate REST endpoint in all versions up to, and including, 4.3.2...
CVE-2026-2633 Gutenberg Blocks with AI by Kadence WP <= 3.6.1 - Missing Authorization to Authenticated (Contributor+) Unauthorized Media Upload
The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.6.1. This is due to a missing capability check in the processimagedataajaxcallback function which handles the kadenceimportprocessimagedata AJAX action. T...
CVE-2026-2633
The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.6.1. This is due to a missing capability check in the processimagedataajaxcallback function which handles the kadenceimportprocessimagedata AJAX action. T...
CVE-2025-12356
The Tickera – Sell Tickets & Manage Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wpajaxchangeticketstatus' AJAX endpoint in all versions up to, and including, 3.5.6.4. This makes it possible for authenticated attackers,...
CVE-2025-12356 Tickera – WordPress Event Ticketing <= 3.5.6.4 - Missing Authorization to Authenticated (Subscriber+) Event/Post Status Update
The Tickera – Sell Tickets & Manage Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wpajaxchangeticketstatus' AJAX endpoint in all versions up to, and including, 3.5.6.4. This makes it possible for authenticated attackers,...
CVE-2025-12356
CVE-2025-12356 concerns Tickera – Sell Tickets & Manage Events for WordPress. The issue is an unauthorized data modification vulnerability caused by a missing capability check on the wp_ajax_change_ticket_status endpoint. It affects all versions up to and including 3.5.6.4, enabling authenticated...
CVE-2025-12356
The Tickera – Sell Tickets & Manage Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wpajaxchangeticketstatus' AJAX endpoint in all versions up to, and including, 3.5.6.4. This makes it possible for authenticated attackers,...
CVE-2026-1925
The EmailKit – Email Customizer for WooCommerce & WP plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'updatetemplatedata' function in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with...
CVE-2025-12075
The Order Splitter for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wostroubleshooting' AJAX endpoint in all versions up to, and including, 5.3.5. This makes it possible for authenticated attackers, with Subscriber-level...
CVE-2026-1925
The EmailKit – Email Customizer for WooCommerce & WP plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'updatetemplatedata' function in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with...
CVE-2025-12037
The WP 404 Auto Redirect to Similar Post plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...