Lucene search
K

711 matches found

CVE
CVE
added 2026/07/01 6:0 a.m.21 views

CVE-2026-10750

CVE-2026-10750 concerns the Royal MCP WordPress plugin prior to 1.4.26. The issue arises because the plugin does not perform capability checks on most MCP tools after token authentication, enabling authenticated, low-privilege users (e.g., Subscriber) to read private content, enumerate users and ...

8.1CVSS5.8AI score0.00267EPSS
Exploits0References1
Patchstack
Patchstack
added 2026/06/30 7:21 p.m.7 views

WordPress Slim SEO – A Fast & Automated SEO Plugin For WordPress plugin <= 4.9.8 - Authenticated (Contributor+) Insufficient Authorization to Private Content Disclosure vulnerability

Authenticated Contributor+ Insufficient Authorization to Private Content Disclosure vulnerability discovered by Abu Hurayra HurayraIIT in WordPress Plugin Slim SEO versions = 4.9.8...

4.3CVSS5.8AI score0.00257EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/25 12:0 a.m.7 views

PT-2026-52203

Name of the Vulnerable Software and Affected Versions GitLab EE versions 18.6 through 18.11.5 GitLab EE versions 19.0 through 19.0.2 GitLab EE versions 19.1 through 19.1.0 Description Insufficient authorization checks could allow an authenticated user with limited permissions to access project...

3.1CVSS5.8AI score0.00182EPSS
Exploits0References7
NVD
NVD
added 2026/06/24 7:16 a.m.24 views

CVE-2026-12416

The Invoice Generator plugin for WordPress is vulnerable to Account Takeover via Password Reset in all versions up to, and including, 1.0.0. This is due to the pravelinvoicechangepassword function being registered as a nopriv AJAX handler with no nonce verification and no authorization check, and...

9.8CVSS0.00364EPSS
Exploits1References4
ATTACKERKB
ATTACKERKB
added 2026/06/20 8:29 a.m.10 views

CVE-2026-11912

The Simple File List plugin for WordPress is vulnerable to arbitrary file modification due to insufficient authorization checks in all versions up to, and including, 6.3.7. This makes it possible for unauthenticated attackers to delete and modify files on the serve. This vulnerability is...

7.5CVSS6AI score0.00433EPSS
Exploits0References8
EUVD
EUVD
added 2026/06/18 6:50 a.m.10 views

EUVD-2026-37864

The Appointment Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.4.01. This is due to insufficient authorization and missing per-calendar ownership checks in the cpabcappointmentscalendarload2 function, which is reachable vi...

4.3CVSS5.4AI score0.00285EPSS
Exploits0References10
CNNVD
CNNVD
added 2026/06/11 12:0 a.m.12 views

WordPress plugin Soledad 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

5.4CVSS5.5AI score0.00177EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:27 p.m.10 views

CVE-2026-40134

Due to insufficient authorization checks in the SAP Incentive and Commission Management application, authenticated users could invoke a remote-enabled function module to perform table update operations. This vulnerability has a low impact on integrity with no impact on confidentiality and...

4.3CVSS5.5AI score0.00198EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:18 p.m.12 views

CVE-2026-27681

Due to insufficient authorization checks in SAP Business Planning and Consolidation and SAP Business Warehouse, an authenticated user can execute crafted SQL statements to read, modify, and delete database data. This leads to a high impact on the confidentiality, integrity, and availability of th...

9.9CVSS6.2AI score0.00501EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/06/02 12:0 a.m.8 views

WordPress plugin Printeers Print & Ship 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There ar...

6.5CVSS5.5AI score0.00174EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/01 9:49 p.m.11 views

CVE-2026-24755

Kiteworks is a private data network PDN. Prior to version 9.3.0, an Insecure Direct Object Reference IDOR vulnerability in Kiteworks Secure Data Forms allows an authenticated user to modify permissions on resources belonging to other users due to insufficient authorization checks on resource...

5.4CVSS5.8AI score0.00138EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/06/01 9:45 p.m.8 views

CVE-2026-24753

Kiteworks is a private data network PDN. Prior to version 9.3.0, an Insecure Direct Object Reference IDOR vulnerability in Kiteworks Secure Data Forms allows an authenticated user to modify resources belonging to other users due to insufficient authorization checks on resource ownership. Upgrade...

6.5CVSS5.8AI score0.00174EPSS
Exploits0References2Affected Software1
CNNVD
CNNVD
added 2026/06/01 12:0 a.m.11 views

WordPress plugin Hydra Booking 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

7.3CVSS5.5AI score0.00178EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/28 8:13 p.m.11 views

CVE-2026-45009

phpMyFAQ before 4.1.2 contains an insufficient authorization vulnerability in admin-api routes that allows authenticated ordinary users to access administrative endpoints by only checking login status instead of verifying backend privileges. Attackers with valid frontend user accounts can access...

5.3CVSS5.8AI score0.00168EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/27 12:0 a.m.9 views

WordPress plugin Adminimize 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

4.3CVSS5.8AI score0.00213EPSS
Exploits0References1
NVD
NVD
added 2026/05/26 8:16 a.m.15 views

CVE-2026-8046

The affected products insufficiently verify authorization when deleting user accounts. An authenticated, low-privileged remote user can exploit this vulnerability to delete other users, including those with higher privileges...

8.1CVSS0.00348EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/26 6:45 a.m.11 views

EUVD-2026-31799

The affected products insufficiently verify authorization when deleting user accounts. An authenticated, low-privileged remote user can exploit this vulnerability to delete other users, including those with higher privileges...

8.1CVSS5.8AI score0.00348EPSS
Exploits0References1
Veracode
Veracode
added 2026/05/23 5:36 a.m.7 views

Mass Assignment

Flowise is vulnerable to Mass Assignment. The vulnerability is due to insufficient validation and authorization checks in the evaluator create and update operations, where authenticated users can modify server-controlled properties to take over evaluators across workspaces...

8.8CVSS5.9AI score0.00335EPSS
Exploits0References4Affected Software1
CNNVD
CNNVD
added 2026/05/19 12:0 a.m.12 views

WordPress plugin Presto Player 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...

4.3CVSS5.8AI score0.00238EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/18 6:50 a.m.9 views

CVE-2026-28759 Insufficient authorization in shared channel membership sync allows remote cluster to remove users from arbitrary channels

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared channel membership sync, which allows a malicious remote cluster to remove any user from any channel,...

4.3CVSS5.8AI score0.00152EPSS
Exploits0References1
Rows per page
Query Builder