EUVD-2026-32730

The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.5. This is due to missing...

PT-2026-44204

The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.5. This is due to missing...

CVE-2026-2899

The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.1.17. This is due to the deleteFile method in the Uploader class lacking nonce verification and capability checks. The AJAX action is registered via...

CVE-2025-48582

In multiple locations, there is a possible way to delete media without the MANAGEEXTERNALSTORAGE permission due to an intent redirect. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

PT-2026-4569

The Alchemist Ajax Upload plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the 'delete file' function in all versions up to, and including, 1.1. This makes it possible for unauthenticated attackers to delete arbitrary WordPress media...

CVE-2025-13419

The Guest posting / Frontend Posting / Front Editor – WP Front User Submit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/bfe/v1/revert' REST API endpoint in all versions up to, and including, 5.0.0. This makes it possibl...

CVE-2025-34435

AVideo versions prior to 20.1 are vulnerable to an insecure direct object reference IDOR that allows any authenticated user to delete media files belonging to other users. The affected endpoint validates authentication but fails to verify ownership or edit permissions for the targeted video...

EUVD-2025-203954

AVideo versions prior to 20.0 are vulnerable to an insecure direct object reference IDOR that allows any authenticated user to delete media files belonging to other users. The affected endpoint validates authentication but fails to verify ownership or edit permissions for the targeted video...

EUVD-2023-12369

Malicious code in bioql PyPI...

CVE-2023-0291

The Quiz And Survey Master for WordPress is vulnerable to authorization bypass due to a missing capability check on the function associated with the qsmremovefilefdquestion AJAX action in versions up to, and including, 8.0.8. This makes it possible for unauthenticated attackers to delete arbitrar...

CVE-2025-27602 Umbraco Allows a Restricted Editor User to Delete Media Item or Access Unauthorized Content

Umbraco is a free and open source .NET content management system. In versions of Umbraco's web backoffice program prior to versions 10.8.9 and 13.7.1, via manipulation of backoffice API URLs, it's possible for authenticated backoffice users to retrieve or delete content or media held within folde...

Umbraco Allows a Restricted Editor User to Delete Media Item or Access Unauthorized Content

Impact Via manipulation of backoffice API URLs it's possible for authenticated backoffice users to retrieve or delete content or media held within folders the editor does not have access to. Patches Will be patched in 10.8.9 and 13.7.1 Workarounds None available...

CVE-2024-5857

The Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the af2handelfileremove AJAX action in all versions up to, and including, 3.7.3.2. This makes it...

CVE-2024-42585

A Cross-Site Request Forgery CSRF in the component deletemedia.php of Warehouse Inventory System v2.0 allows attackers to escalate privileges...

Warehouse Inventory System 安全漏洞

Warehouse Inventory System is a Warehouse Inventory Management System by Siamon Hasan Personal Developer. A cross-site request forgery vulnerability exists in Warehouse Inventory System v2.0, which stems from the deletemedia.php component not adequately verifying that a request comes from a trust...

PT-2024-30047 · Unknown · Warehouse Inventory System

Name of the Vulnerable Software and Affected Versions: Warehouse Inventory System version v2.0 Description: A Cross-Site Request Forgery CSRF issue in the delete media.php component allows attackers to escalate privileges. Recommendations: For Warehouse Inventory System version v2.0, consider...

PT-2024-24996 · WordPress · User Registration – Custom Registration Form

Name of the Vulnerable Software and Affected Versions: User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin versions up to, and including, 3.1.5 Description: The issue is related to unauthorized loss of data due to a missing capability check on the profile p...

CVE-2023-0292

The Quiz And Survey Master plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 8.0.8. This is due to missing nonce validation on the function associated with the qsmremovefilefdquestion AJAX action. This makes it possible for unauthenticated attacker...