CVE-2025-12574 Listar – Directory Listing & Classifieds WordPress Plugin <= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion

The Listar – Directory Listing & Classifieds WordPress Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the '/wp-json/listar/v1/place/delete' REST API endpoint in all versions up to, and including, 3.0.0. This makes it possible for...

EUVD-2025-38289

An issue was discovered in rymcu forest thru commit f782e85 2025-09-04 in function doBefore in file src/main/java/com/rymcu/forest/core/service/security/AuthorshipAspect.java, allowing authorized attackers to delete arbitrary users posts...

CVE-2025-63687

An issue was discovered in rymcu forest thru commit f782e85 2025-09-04 in function doBefore in file src/main/java/com/rymcu/forest/core/service/security/AuthorshipAspect.java, allowing authorized attackers to delete arbitrary users posts...

EUVD-2006-3416

Malware in sbrugna...

CVE-2024-5977

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.13.0 via the 'handleRequest' function due to missing validation on a user controlled key. This makes it possible for authenticated...

WordPress Social Auto Poster plugin <= 5.3.14 - Missing Authorization to Unauthenticated Arbitrary Post Deletion vulnerability

Missing Authorization to Unauthenticated Arbitrary Post Deletion vulnerability discovered by István Márton in WordPress Plugin Social Auto Poster versions = 5.3.14...

CVE-2024-0248

The EazyDocs WordPress plugin before 2.4.0 re-introduced CVE-2023-6029 https://wpscan.com/vulnerability/7a0aaf85-8130-4fd7-8f09-f8edc929597e/ in 2.3.8, allowing any authenticated users, such as subscriber to delete arbitrary posts, as well as add and delete documents/sections. The issue was...

CVE-2023-5506

The ImageMapper plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'imgmapdeleteareaajax' function in versions up to, and including, 1.2.6. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to...

CVE-2021-25013

The Qubely WordPress plugin before 1.7.8 does not have authorisation and CSRF check on the qubelydeletesavedblock AJAX action, and does not ensure that the block to be deleted belong to the plugin, as a result, any authenticated users, such as subscriber can delete arbitrary posts...

Code injection

admin/radera/tabort.asp in Hogstorps hogstorp guestbook 2.0 does not verify user credentials, which allows remote attackers to delete arbitrary posts via a modified delID parameter...