CVE-2026-4326

The Vertex Addons for Elementor plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.6.4. This is due to improper authorization enforcement in the activaterequiredplugins function. Specifically, the currentusercan'installplugins' capability check does...

EUVD-2026-20825

The Vertex Addons for Elementor plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.6.4. This is due to improper authorization enforcement in the activaterequiredplugins function. Specifically, the currentusercan'installplugins' capability check does...

CVE-2026-1992 ExactMetrics 8.6.0 - 9.0.2 - Authenticated (Custom) Insecure Direct Object Reference to Arbitrary Plugin Installation

The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Insecure Direct Object Reference in versions 8.6.0 through 9.0.2. This is due to the storesettings method in the ExactMetricsOnboarding class accepting a user-supplied triggeredby parameter that is used instead of...

EUVD-2021-11107

Malware in sbrugna...

EUVD-2021-11109

Malware in sbrugna...

PT-2025-38306

Name of the Vulnerable Software and Affected Versions WP Legal Pages plugin for WordPress versions up to and including 3.4.3 Description The WP Legal Pages plugin for WordPress is susceptible to unauthorized access of functionality due to a missing capability check on the wplp gdpr install plugin...

CVE-2021-24190

Low privileged users can use the AJAX action 'cppluginsdobuttonjoblatercallback' in the WooCommerce Conditional Marketing Mailer WordPress plugin before 1.5.2, to install any plugin including a specific version from the WordPress repository, as well as activate arbitrary plugin from then blog,...

CVE-2021-24188

Low privileged users can use the AJAX action 'cppluginsdobuttonjoblatercallback' in the WP Content Copy Protection & No Right Click WordPress plugin before 3.1.5, to install any plugin including a specific version from the WordPress repository, as well as activate arbitrary plugin from then blog,...

CVE-2021-24193

Low privileged users can use the AJAX action 'cppluginsdobuttonjoblatercallback' in the Visitor Traffic Real Time Statistics WordPress plugin before 2.12, to install any plugin including a specific version from the WordPress repository, as well as activate arbitrary plugin from then blog, which...

VulnCheck KEV: CVE-2024-11972

A vulnerability is present in the Hunk Companion plugin that allows installation and activation of plugins from the Wordpress.org repository via an unauthenticated POST request...

CVE-2021-4446

The Essential Addons for Elementor plugin for WordPress is vulnerable to authorization bypass in versions up to and including 4.6.4 due to missing capability checks and nonce disclosure. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to perform...

CVE-2022-3880

The Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan WordPress plugin before 4.20 does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins fro...

Plugins can be abused, custom FERC1155 Token can be abused

Lines of code Vulnerability details Impact HIGH - Assets can be stolen/compromised/lost directly. The creator of vault can add any functionality they want by plugins. Also they can bring any tokens for the vault. It can be used against users, or it will make exploits easier to execute. Proof of...

PT-2022-12270

Name of the Vulnerable Software and Affected Versions LimeSurvey version 5.2.4 Description A Remote Code Execution RCE issue exists via the upload and install plugins function, which could let a remote malicious user upload an arbitrary PHP code file. Recommendations For LimeSurvey version 5.2.4,...

WordPress plugin authorization issue vulnerability (CNVD-2021-36537)

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language . The platform supports PHP and MySQL servers to set up a personal blog site.WordPress Plugin is a WordPress open source application plugin . An authorization issue vulnerability exists in versions o...

WordPress plugin authorization issue vulnerability (CNVD-2021-36538)

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language . The platform supports PHP and MySQL servers to set up a personal blog site.WordPress Plugin is a WordPress open source application plugin . An authorization issue vulnerability exists in versions o...

WordPress plugin 授权问题漏洞

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language . The platform supports PHP and MySQL servers to set up a personal blog site.WordPress Plugin is a WordPress open source application plugin . Captchinoo, Google recaptcha for admin login page An...

WordPress plugin WP Maintenance Mode & Site Under Construction 安全漏洞

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language . The platform supports PHP and MySQL servers to set up a personal blog site.WordPress Plugin is a WordPress open source application plugin . WP Maintenance Mode & Site Under Construction An...

OS Command Injection

strapi is vulnerable to OS command injection. An attacker with administrative privileges is able to inject and execute arbitrary OS commands on the system via the install and uninstall plugins module due to a lack of validation in the plugin name...