CVE-2026-52799

Gogs (version

CVE-2026-11877

CVE-2026-11877 describes a missing authorization issue in OpenText Access Manager prior to 5.1.3, where an unauthorized user can modify configuration via API calls. The affected product is OpenText Access Manager; the vulnerability stems from insufficient access control on API configuration endpo...

CVE-2026-11877 Missing Authorization Vulnerability in OpenText Access Manager

An unauthorized user can modify configuration through API calls that affects the OpenText Access Manager. This issue affects Access Manager before 5.1.3...

WordPress WP Forms Connector plugin <= 1.8 - Missing Authorization to Unauthenticated Information Exposure vulnerability

Missing Authorization to Unauthenticated Information Exposure vulnerability discovered by jamaal in WordPress Plugin WP Forms Connector versions = 1.8...

CVE-2026-8688

The CVE pertains to the WordPress plugin Advance Nav Menu Manager (

CVE-2026-9184

The CVE covers the WordPress plugin 24liveblog (versions up to 2.2). A missing capability check on the AJAX handler update_lb24_token() allows authenticated attackers with author-level access and above to overwrite lb24_token, lb24_uid, lb24_refresh_token, lb24_uname, and related site options, ef...

CVE-2026-9184 24liveblog <= 2.2 - Missing Authorization to Authenticated (Author+) Settings Modification via update_lb24_token AJAX action

The 24liveblog - live blog tool plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the updatelb24token AJAX function in versions up to, and including, 2.2. The handler only verifies the 'lb24' nonce which is generated and localized to any...

CVE-2026-8614

The CVE concerns the WordPress Assistio plugin (versions ≤ 1.1.2). A missing capability check and missing nonce verification in assistio_plugin_delete_assistio_settings() allows authenticated users with Subscriber-level access and above to modify data, including deleting the critical assistiobot_...

CVE-2026-8614 Assistio <= 1.1.2 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Deletion via assistio_plugin_delete_assistio_settings AJAX Action

The Assistio plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and missing nonce verification on the assistioplugindeleteassistiosettings function in versions up to, and including, 1.1.2. This makes it possible for authenticated attackers,...

CVE-2026-12094

The CVE describes a vulnerability in the Advanced Contact Form 7 - Compact DB plugin for WordPress (versions delete() on the wp_cf7cdb_data table, using an attacker-supplied integer ID. This allows unauthenticated attackers to delete arbitrary contact form submission entries by enumerating primar...

EUVD-2026-38659

The Devs Accounting – Simple Accounting and Invoicing Solution plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.0. This is due to the getsingleaccount REST API callback being registered with a permissioncallback that unconditionally returns tru...

CVE-2026-9175

The CVE concerns the WordPress plugin Devs Accounting – Simple Accounting and Invoicing Solution, affected versions up to 1.2.0. The root cause is a REST endpoint get-account in get_single_account() where the permission_callback unconditionally returns true, resulting in missing authorization for...

CVE-2026-9175 Devs Accounting <= 1.2.0 - Missing Authorization to Unauthenticated Sensitive Information Exposure via 'id' Parameter

The Devs Accounting – Simple Accounting and Invoicing Solution plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.0. This is due to the getsingleaccount REST API callback being registered with a permissioncallback that unconditionally returns tru...

WCFM Membership <= 2.10.0 - Broken Access Control

The WCFM Membership plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 2.10.0 due to missing capability checks true the AJAX actions: wcfm-memberships, wcfm-memberships-manage, and wcfm-memberships-settings. id: CVE-2022-4940 info:...

WordPress RSVP and Event Management <2.7.8 - Missing Authorization

WordPress RSVP and Event Management plugin before 2.7.8 is susceptible to missing authorization. The plugin does not have any authorization checks when exporting its entries, and the export function is hooked to the init action. An attacker can potentially retrieve sensitive information such as...

PublishPress Capabilities < 2.3.1 - Missing Authorization

The PublishPress Capabilities plugin for WordPress before 2.3.1 does not have proper authorization and CSRF checks when updating settings via the init hook, allowing unauthenticated attackers to update arbitrary blog options, such as setting the default role to administrator. id: CVE-2021-25032...

LottieFiles WordPress Plugin <= 3.0.0 - Missing Authorization

LottieFiles LottieFiles = 3.0.0 contains a broken access control vulnerability caused by incorrectly configured access control security levels, letting attackers exploit missing authorization, exploit requires no special privileges. id: CVE-2025-68043 info: name: LottieFiles WordPress Plugin =...

WPZOOM Social Icons Widget <= 4.2.15 - Missing Authorization

WPZOOM Social Icons Widget & Block versions up to 4.2.15 contain a missing authorization vulnerability caused by insufficient access control in the widget and block, letting attackers perform unauthorized actions, exploit requires no special conditions. id: CVE-2024-30464 info: name: WPZOOM Socia...

CVE-2026-11807 Eda-server: websocket missing authorization allows credential theft via activation_id spoofing

A missing authorization vulnerability was found in the Event-Driven Ansible EDA websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activationid to receive...

CVE-2026-11807

CVE-2026-11807 affects Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint fails to verify permissions when processing Worker messages, permitting any authenticated user to forge a message with an arbitrary activation_id and access plaintext credentials tied to tha...