CVE-2026-24901 Outline's IDOR allows unauthorized viewing and seizing of private deleted drafts

Outline is a service that allows for collaborative documentation. Prior to 1.4.0, an Insecure Direct Object Reference IDOR vulnerability in the document restoration logic allows any team member to unauthorizedly restore, view, and seize ownership of deleted drafts belonging to other users,...

EUVD-2026-12202

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the draftpost function in all versions up to, and including, 4.2.8. This makes it...

EUVD-2026-12184

The Thim Kit for Elementor – Pre-built Templates & Widgets for Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing validation checks on the 'thim-ekit/archive-course/get-courses' REST endpoint callback function in all versions up to, and including, 1.3.7...

PT-2026-25537

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the draft post function in all versions up to, and including, 4.2.8. This makes it...

GHSA-VG3J-HPM9-8V5V Craft CMS has a potential information disclosure vulnerability in preview tokens

Summary Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a preview...

WordPress Fluent Forms Pro plugin <= 6.1.17 - Unauthenticated Stored Cross-Site Scripting via Draft Form Submission vulnerability

Unauthenticated Stored Cross-Site Scripting via Draft Form Submission vulnerability discovered by Prickly Cactus in WordPress Plugin Fluent Forms Pro Add On Pack versions = 6.1.17...

EUVD-2026-9524

The Fluent Forms Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the fluentformstepformsavedata AJAX action in all versions up to, and including, 6.1.17. This is due to the draft form submission endpoint being publicly accessible without authentication or nonce...

CVE-2026-2365

The Fluent Forms Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the fluentformstepformsavedata AJAX action in all versions up to, and including, 6.1.17. This is due to the draft form submission endpoint being publicly accessible without authentication or nonce...

CVE-2026-2365

CVE-2026-2365 affects the Fluent Forms Pro WordPress plugin (versions up to and including 6.1.17). The vulnerability is Stored Cross-Site Scripting via the fluentform_step_form_save_data AJAX action, arising from a publicly accessible draft form submission endpoint without authentication or nonce...

CVE-2026-2365 Fluent Forms Pro <= 6.1.17 - Unauthenticated Stored Cross-Site Scripting via Draft Form Submission

The Fluent Forms Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the fluentformstepformsavedata AJAX action in all versions up to, and including, 6.1.17. This is due to the draft form submission endpoint being publicly accessible without authentication or nonce...

CVE-2026-2365 Fluent Forms Pro <= 6.1.17 - Unauthenticated Stored Cross-Site Scripting via Draft Form Submission

The Fluent Forms Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the fluentformstepformsavedata AJAX action in all versions up to, and including, 6.1.17. This is due to the draft form submission endpoint being publicly accessible without authentication or nonce...

PT-2026-23129

Name of the Vulnerable Software and Affected Versions Fluent Forms Pro versions up to and including 6.1.17 Description The Fluent Forms Pro plugin for WordPress is susceptible to Stored Cross-Site Scripting through the fluentform step form save data AJAX action. The draft form submission endpoint...

CVE-2025-14742

The WP Recipe Maker plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'ajaxsearchrecipes' and 'ajaxgetrecipe' functions in all versions up to, and including, 10.2.3. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2025-14742

The WP Recipe Maker plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'ajaxsearchrecipes' and 'ajaxgetrecipe' functions in all versions up to, and including, 10.2.3. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2025-14742

CVE-2025-14742 : The WP Recipe Maker plugin for WordPress is vulnerable to unauthorized data access due to a missing capability check on the ajax_search_recipes and ajax_get_recipe functions in all versions up to and including 10.2.3. This allows authenticated attackers with Subscriber-level acce...

PT-2026-21892

Name of the Vulnerable Software and Affected Versions WP Recipe Maker versions prior to 10.2.3 Description The WP Recipe Maker plugin for WordPress has a flaw that allows unauthorized access to recipe data. This is due to a missing capability check in the ajax search recipes and ajax get recipe...

VulnCheck KEV: CVE-2025-14155

The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'gettemplatecontent' function in all versions up to, and including, 4.11.53. This makes it possible for...

CVE-2025-13842

The Breadcrumb NavXT plugin for WordPress is vulnerable to authorization bypass through user-controlled key in versions up to and including 7.5.0. This is due to the Gutenberg block renderer trusting the $REQUEST'postid' parameter without verification in the...

CVE-2026-2386

The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 6.4.7. This is due to the tpaecreatepage AJAX handler authorizing users only with...

CVE-2026-1942

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the b2scurationdraft AJAX action in all versions up to, and including, 8.7.4. The curationDraft function only verifies...