9655 matches found
CVE-2026-0929 RegistrationMagic < 6.0.7.2 - Subscriber+ Form Creation
The RegistrationMagic WordPress plugin before 6.0.7.2 does not have proper capability checks, allowing subscribers and above to create forms on the site...
CVE-2026-0929 RegistrationMagic < 6.0.7.2 - Subscriber+ Form Creation
The RegistrationMagic WordPress plugin before 6.0.7.2 does not have proper capability checks, allowing subscribers and above to create forms on the site...
PT-2026-8313
The RegistrationMagic WordPress plugin before 6.0.7.2 does not have proper capability checks, allowing subscribers and above to create forms on the site...
PT-2026-8384
The WowRevenue plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check in the 'Notice::install activate plugin' function in all versions up to, and including, 2.1.3. This makes it possible for authenticated attackers, with subscriber-level access a...
Dating <= 11.2.0 - Missing Authorization
Description The Dating theme for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 11.2.0. This makes it possible for unauthenticated attackers to perform an unauthorized action...
CVE-2025-14067
The Easy Form Builder plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple AJAX actions in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve...
CVE-2026-2022
The Smart Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'rednaosmartformsgetcampaigns' AJAX action in all versions up to, and including, 2.6.99. This makes it possible for authenticated attackers, with Subscriber-level access and...
CVE-2026-1944
The CallbackKiller service widget plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cbksave function in all versions up to, and including, 1.2. This makes it possible for unauthenticated attackers to modify the plugin's site ID settin...
CVE-2026-1750
The Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.0.7. This is due to a missing capability check in the 'savecustomuserprofilefields' function. This makes it possible for authenticated attackers, with...
EUVD-2026-5834
The Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.0.7. This is due to a missing capability check in the 'savecustomuserprofilefields' function. This makes it possible for authenticated attackers, with...
CVE-2026-1750
The Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.0.7. This is due to a missing capability check in the 'savecustomuserprofilefields' function. This makes it possible for authenticated attackers, with...
CVE-2025-15157
The Starfish Review Generation & Marketing for WordPress plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'srmrestoreoptionsdefaults' function in all versions up to, and including, 3.1.19. This...
CVE-2025-15520
The RegistrationMagic WordPress plugin before 6.0.7.2 checks nonces but not capabilities, allowing for the disclosure of some sensitive data to subscribers and above...
CVE-2026-1944
The CallbackKiller service widget plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cbksave function in all versions up to, and including, 1.2. This makes it possible for unauthenticated attackers to modify the plugin's site ID settin...
CVE-2026-2022
The Smart Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'rednaosmartformsgetcampaigns' AJAX action in all versions up to, and including, 2.6.99. This makes it possible for authenticated attackers, with Subscriber-level access and...
CVE-2025-6792
The One to one user Chat by WPGuppy plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the /wp-json/guppylite/v2/channel-authorize rest endpoint in all versions up to, and including, 1.1.4. This makes it possible for unauthenticated attackers to...
CVE-2026-1944 CallbackKiller service widget <= 1.2 - Missing Authorization to Unauthenticated Arbitrary Plugin Settings Update
The CallbackKiller service widget plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cbksave function in all versions up to, and including, 1.2. This makes it possible for unauthenticated attackers to modify the plugin's site ID settin...
CVE-2026-2022 Smart Forms <= 2.6.99 - Missing Authorization to Authenticated (Subscriber+) Campaign Data Exposure
The Smart Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'rednaosmartformsgetcampaigns' AJAX action in all versions up to, and including, 2.6.99. This makes it possible for authenticated attackers, with Subscriber-level access and...
CVE-2026-2022
The Smart Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'rednaosmartformsgetcampaigns' AJAX action in all versions up to, and including, 2.6.99. This makes it possible for authenticated attackers, with Subscriber-level access and...
CVE-2025-6792 One to one user Chat by WPGuppy <= 1.1.4 - Unauthenticated Information Disclosure via Chat Message Interception
The One to one user Chat by WPGuppy plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the /wp-json/guppylite/v2/channel-authorize rest endpoint in all versions up to, and including, 1.1.4. This makes it possible for unauthenticated attackers to...