28 matches found
CVE-2026-6803
The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.12. This is due to missing capability checks and nonce verification on AJAX actions registered under both wpajax and wpajaxnopriv hooks, as the base...
CVE-2026-7559 Affilia <= 3.3.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Status Modification
The Affilia – Affiliate Program & Referral Tracking for WordPress plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 3.3.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...
EUVD-2026-43140
The Affilia – Affiliate Program & Referral Tracking for WordPress plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 3.3.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...
CVE-2026-61460
Krayin CRM up to version 2.2.3 is affected by an insecure direct object reference vulnerability in LeadController, PersonController, OrganizationController, QuoteController, and ActivityController. The root cause is missing record-level ownership validation in edit, update, and destroy methods, e...
CVE-2026-56775
CVE-2026-56775 affects n8n prior to 1.123.55, 2.25.7, and 2.26.2. The issue is an authorization vulnerability in three mutating evaluation test-run endpoints that grant state-changing actions under the workflow:read scope instead of the action-appropriate workflow:execute scope. On systems using ...
CVE-2026-56773 Teable - Missing Authorization in v2 REST API
Teable's v2 REST API controller lacks @Permissions metadata on ORPC endpoints, allowing any authenticated user to bypass authorization checks. Attackers can read table schemas, create tables, and modify or delete records across bases and tables via endpoints like GET /api/v2/tables/get and POST...
PT-2026-52778
Name of the Vulnerable Software and Affected Versions Teable affected versions not specified Description The v2 REST API controller lacks @Permissions metadata on ORPC endpoints, which enables authenticated users to bypass authorization checks. This allows unauthorized reading of table schemas,...
CVE-2026-10824
The Masteriyo LMS WordPress plugin, version before 2.2.1, has missing authorization checks in the course-progress REST API controller. This allows unauthenticated users to read and permanently delete any user’s course-progress records. The vulnerability is caused by insufficient access control in...
EUVD-2026-31834
OpenKM 6.3.12 contains an unrestricted SQL execution vulnerability that allows authenticated administrative users to execute arbitrary SQL statements against the application database via the DatabaseQuery interface. Attackers can submit malicious SQL queries through the qs parameter to the...
WordPress Blog2Social: Social Media Auto Post & Scheduler plugin <= 8.9.0 - Missing Authorization to Authenticated (Subscriber+) Delete Arbitrary B2S Post Records vulnerability
Missing Authorization to Authenticated Subscriber+ Delete Arbitrary B2S Post Records vulnerability discovered by awhacken in WordPress Plugin Blog2Social versions = 8.9.0...
EUVD-2026-29413
The Forms Rb plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access a...
CVE-2026-7050
The Forms Rb plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access a...
WordPress plugin Forms Rb 安全漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...
CVE-2026-27181
MajorDoMo aka Major Domestic Module allows unauthenticated arbitrary module uninstallation through the market module. The market module's admin method reads gr'mode' from $REQUEST and assigns it to $this-mode at the start of execution, making all mode-gated code paths reachable without...
EUVD-2025-204625
The WP DB Booster plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the cleanupall AJAX action. This makes it possible for unauthenticated attackers to delete database records including post...
EUVD-2025-31339
Malicious code in bioql PyPI...
CVE-2025-50369
A Cross-Site Request Forgery CSRF vulnerability exists in the Manage Card functionality /mcgs/admin/manage-card.php of PHPGurukul Medical Card Generation System 1.0. The vulnerable endpoint allows an authorized admin to delete medical card records by sending a simple GET request without verifying...
PHPGurukul Medical Card Generation System 安全漏洞
Medical Card Generation System is a medical card generation system. The Medical Card Generation System suffers from a cross-site request forgery vulnerability that stems from the lack of CSRF protection in the Manage Card feature, which can be exploited by an attacker to send a simple GET request...
CVE-2022-3898
The WP Affiliate Platform plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.3.9. This is due to missing or incorrect nonce validation on various functions including the affiliatesmenu method. This makes it possible for unauthenticated attackers t...
CVE-2024-13429
The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.6 via the 'jobenforcedelete' due to missing validation on a user controlled key. This makes it possib...