Lucene search
K

2135 matches found

Nuclei
Nuclei
added 10 hours ago18 views

Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit - Broken Access Control

The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the installoractivateaddonplugins function and a weak nonce hash in all...

9.8CVSS5.9AI score0.02904EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/07/01 6:0 a.m.38 views

CVE-2026-11562 WS Form LITE < 1.11.8 - Subscriber+ Arbitrary Settings Update

The WS Form LITE WordPress plugin before 1.11.8 does not have a capability check on one of its settings-update actions, allowing authenticated users with subscriber-level access and above to modify the WS Form LITE WordPress plugin before 1.11.8's settings...

0.00162EPSS
Exploits0References1
CVE
CVE
added 2026/07/01 6:0 a.m.18 views

CVE-2026-11562

CVE-2026-11562 : The WS Form LITE WordPress plugin is vulnerable prior to version 1.11.8 due to a missing capability check on a settings-update action. This allows authenticated users with subscriber-level access and above to modify the plugin’s settings. Impact is limited to settings modificatio...

4.3CVSS5.8AI score0.00162EPSS
Exploits0References1
EUVD
EUVD
added 2026/07/01 3:43 a.m.8 views

EUVD-2026-40887

The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Group Deletion in versions up to, and including, 5.7.8. This is due to a missing capability check in the joomsportseasongroupdel AJAX handler, which only...

4.3CVSS5.9AI score0.0025EPSS
Exploits0References10
EUVD
EUVD
added 2026/06/27 6:50 a.m.9 views

EUVD-2026-39954

The Spexo theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the activateplugin function in all versions up to, and including, 2.0.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate a limited set o...

4.3CVSS5.8AI score0.00196EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/06/27 6:50 a.m.9 views

CVE-2026-12471

The Spexo theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the activateplugin function in all versions up to, and including, 2.0.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate a limited set o...

4.3CVSS5.8AI score0.00196EPSS
Exploits0References5
CVE
CVE
added 2026/06/27 6:50 a.m.14 views

CVE-2026-12471

The CVE concerns the Spexo WordPress theme. A missing capability check in the activate_plugin function affects all versions up to and including 2.0.11, allowing authenticated attackers with Subscriber-level access and above to activate a limited set of plugins. The information from connected docu...

4.3CVSS5.8AI score0.00196EPSS
Exploits0References4
CVE
CVE
added 2026/06/27 4:30 a.m.26 views

CVE-2026-12415

The CVE concerns the WordPress plugin Invoice Generator. Vulnerable in versions up to 1.0.0 due to a missing capability check on the pravel_invoice_edit_account() AJAX action. The handler is exposed via wp_ajax_nopriv_pravel_invoice_edit_account and accepts attacker-controlled user_id and user_em...

9.8CVSS5.8AI score0.00662EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/27 12:0 a.m.13 views

PT-2026-53055

Name of the Vulnerable Software and Affected Versions Spexo theme for WordPress versions prior to 2.0.12 Description Unauthorized access is possible due to a missing capability check in the activate plugin function. This allows authenticated users with Subscriber-level permissions or higher to...

4.3CVSS5.8AI score0.00196EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 2026/06/27 12:0 a.m.12 views

PT-2026-53043

Name of the Vulnerable Software and Affected Versions Invoice Generator versions prior to 1.0.1 Description The Invoice Generator plugin for WordPress allows privilege escalation because it fails to perform a capability check on the pravel invoice edit account AJAX action. The handler is exposed...

9.8CVSS5.8AI score0.00662EPSS
Exploits0References10
NVD
NVD
added 2026/06/24 7:16 a.m.12 views

CVE-2026-12094

The Advanced Contact Form 7 - Compact DB plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the cf7cdbajaxdeleteuser function in versions up to, and including, 1.0.0. The handler is registered against both wpajaxcf7cdbdelete and...

5.3CVSS0.00295EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/24 5:33 a.m.6 views

EUVD-2026-38674

The SearchPlus plugin for WordPress is vulnerable to unauthorized modification and deletion of data in versions up to, and including, 1.7.1. This is due to a missing capability check and missing nonce validation on the searchplussavetokenactioncallback and searchplusresettokenactioncallback...

5.3CVSS5.9AI score0.00228EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/06/24 5:33 a.m.6 views

CVE-2026-12094

The Advanced Contact Form 7 - Compact DB plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the cf7cdbajaxdeleteuser function in versions up to, and including, 1.0.0. The handler is registered against both wpajaxcf7cdbdelete and...

5.3CVSS6AI score0.00295EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/24 12:0 a.m.10 views

PT-2026-51695

Name of the Vulnerable Software and Affected Versions 24liveblog versions prior to 2.3 Description The 24liveblog plugin for WordPress allows unauthorized data modification because the update lb24 token AJAX function lacks a proper capability check. The handler verifies the 'lb24' nonce but fails...

4.3CVSS5.8AI score0.00215EPSS
Exploits0References11
Positive Technologies
Positive Technologies
added 2026/06/24 12:0 a.m.15 views

PT-2026-51680

Name of the Vulnerable Software and Affected Versions Assistio versions prior to 1.1.3 Description The Assistio plugin for WordPress allows authenticated users with Subscriber-level access and above to perform unauthorized data modification. This occurs because the assistio plugin delete assistio...

4.3CVSS5.8AI score0.00238EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/24 12:0 a.m.14 views

PT-2026-51677

Name of the Vulnerable Software and Affected Versions Welcome Software Publishing versions prior to 0.0.32 Description The plugin is subject to an Arbitrary Options Update issue caused by a missing capability check in the nc setOption function, which is exposed through the 'nc.setOption' XML-RPC...

8.8CVSS5.8AI score0.00463EPSS
Exploits0References15
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.6 views

Astra Linux – Vulnerabilities in Linux, Linux-5.10, Linux-5.15

A vulnerability was discovered in the HCI socket implementation due to a missing capability check in the net/bluetooth/hcisock.c file within the Linux kernel. This flaw allows an attacker to execute management commands without authorization, compromising the confidentiality, integrity, and...

6.8CVSS6.6AI score0.0147EPSS
Exploits2References2
NVD
NVD
added 2026/06/16 10:16 a.m.12 views

CVE-2026-2381

The WooCommerce Stripe Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxpayfororder function in all versions up to, and including, 10.7.0 This is due to a missing order ownership or orderkey verification when...

6.5CVSS0.00267EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/06/16 5:33 a.m.30 views

CVE-2026-5149 RTMKit <= 2.0.7 - Authenticated (Contributor+) Missing Authorization to Arbitrary Form Submission Access via 'entries_id' Parameter

The RTMKit plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.7 This is due to the getsubmissioncontent AJAX endpoint lacking a capability check to verify that a user has permission to access the requested form submission data. This makes it...

6.5CVSS0.00238EPSS
Exploits0References5
CVE
CVE
added 2026/06/16 5:33 a.m.16 views

CVE-2026-5149

The RTMKit plugin for WordPress is vulnerable to Incorrect Authorization up to version 2.0.7 due to get_submission_content lacking a capability check, enabling authenticated attackers with Contributor-level access to view arbitrary form submissions by iterating the entries_id parameter. Affected:...

6.5CVSS5.5AI score0.00238EPSS
Exploits0References5
Rows per page
Query Builder