21346 matches found
CVE-2026-4127
The Speedup Optimization plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.5.9. The speedup01ajaxenabled function, which handles the wpajaxspeedup01enabled AJAX action, does not perform any capability check via currentusercan and also lacks nonce...
CVE-2026-2941 Linksy Search and Replace <= 1.0.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Database Update via linksy_search_and_replace_item_details
The Linksy Search and Replace plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'linksysearchandreplaceitemdetails' function in all versions up to, and including, 1.0.4. This makes it possible for authenticated attackers, with...
CVE-2026-3335 Canto <= 3.1.1 - Missing Authorization to Unauthenticated File Upload
The Canto plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.1.1 via the /wp-content/plugins/canto/includes/lib/copy-media.php file. This is due to the file being directly accessible without any authentication, authorization, or nonce checks, and t...
CVE-2026-3335 Canto <= 3.1.1 - Missing Authorization to Unauthenticated File Upload
The Canto plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.1.1 via the /wp-content/plugins/canto/includes/lib/copy-media.php file. This is due to the file being directly accessible without any authentication, authorization, or nonce checks, and t...
CVE-2026-3335
The Canto plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.1.1 via the /wp-content/plugins/canto/includes/lib/copy-media.php file. This is due to the file being directly accessible without any authentication, authorization, or nonce checks, and t...
CVE-2026-3335
The CVE-2026-3335 entry concerns the WordPress Canto plugin (versions up to 3.1.1). The vulnerability is in missing authorization via the file at wp-content/plugins/canto/includes/lib/copy-media.php, which is directly accessible without authentication or nonce checks. The issue arises because fbc...
CVE-2026-3570
The CVE-2026-3570 entry concerns the Smarter Analytics plugin for WordPress. Affected: all versions up to and including 2.0. Root cause: missing authentication and capability checks on the configuration reset function in smarter-analytics.php, in the global scope. Impact: unauthenticated attacker...
PT-2026-26864
The Punnel – Landing Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.1. The save config function, which handles the 'punnel save config' AJAX action, lacks any capability check current user can and nonce verification. This makes i...
PT-2026-26827
The Company Posts for LinkedIn plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.0. This is due to a missing capability check on the linkedin company post reset handler function hooked to admin post reset linkedin company post. This makes it...
Missing Authorization
Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Missing Authorization via the list.json.php endpoint in the Permissions plugin. An attacker can retrieve the complete mapping of user groups to plugin permissions,...
Missing Authorization
Overview github.com/ory/oathkeeper/proxy is an Identity & Access Proxy IAP and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules Affected versions of this package are vulnerable to Missing Authorization in the evaluation of the X-Forwarded-Proto header due to...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization in multiple functions in the gRPC API layer, including MemberList and Compact. An attacker can gain unauthorized access to sensitive cluster operations and information, such as viewing cluster topology, disrupting...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization in multiple functions in the gRPC API layer, including MemberList and Compact. An attacker can gain unauthorized access to sensitive cluster operations and information, such as viewing cluster topology, disrupting...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization in multiple functions in the gRPC API layer, including MemberList and Compact. An attacker can gain unauthorized access to sensitive cluster operations and information, such as viewing cluster topology, disrupting...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization in multiple functions in the gRPC API layer, including MemberList and Compact. An attacker can gain unauthorized access to sensitive cluster operations and information, such as viewing cluster topology, disrupting...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization via the downloadimage endpoint, which allows unauthenticated access to image files by accepting flowid and filename as path parameters without verifying user authentication or ownership. An attacker can access...
Improper Access Control
OneUptime is vulnerable to Improper Access Control. The vulnerability is due to missing authorization checks on account creation APIs, which allows a low-privileged user to create new accounts via direct API requests...
EUVD-2026-13655
The RockPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.17. This is due to missing capability checks on multiple AJAX actions rockpressimport, rockpressimportstatus, rockpresslastimport, rockpressresetimport, and rockpresscheckservices...
CVE-2026-3550
The RockPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.17. This is due to missing capability checks on multiple AJAX actions rockpressimport, rockpressimportstatus, rockpresslastimport, rockpressresetimport, and rockpresscheckservices...
CVE-2026-3550 RockPress <= 1.0.17 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via AJAX Actions
The RockPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.17. This is due to missing capability checks on multiple AJAX actions rockpressimport, rockpressimportstatus, rockpresslastimport, rockpressresetimport, and rockpresscheckservices...